Source: DHL04AWB01173903102023PDF.scr.exe |
Virustotal: Detection: 13% |
Perma Link |
Source: DHL04AWB01173903102023PDF.scr.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, ContactsApi.dll.0.dr |
Source: |
Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00402706 FindFirstFileW, |
0_2_00402706 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_0040572C |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_004061E0 FindFirstFileW,FindClose, |
0_2_004061E0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: DHL04AWB01173903102023PDF.scr.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://s2.symcb.com0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://sv.symcb.com/sv.crl0f |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://sv.symcd.com0& |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://www.nero.com |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://www.symauth.com/cps0( |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: http://www.symauth.com/rpa00 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00405290 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00405290 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ |
Source: nseEDA7.tmp.0.dr |
String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ |
Source: ContactsApi.dll.0.dr |
String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ |
Source: DHL04AWB01173903102023PDF.scr.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: msado25.tlb.0.dr |
Static PE information: No import functions for PE file found |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameDefConvertor.DLL vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe |
Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
0_2_0040331C |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Windows\resources\0409 |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00404ACD |
0_2_00404ACD |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_004064F2 |
0_2_004064F2 |
Source: DHL04AWB01173903102023PDF.scr.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process Stats: CPU usage > 98% |
Source: DHL04AWB01173903102023PDF.scr.exe |
Virustotal: Detection: 13% |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File read: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Jump to behavior |
Source: DHL04AWB01173903102023PDF.scr.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\Nonhieratical |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\AppData\Local\Temp\nseEDA6.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File written: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\Z_Custom2.ini |
Jump to behavior |
Source: classification engine |
Classification label: mal64.rans.troj.evad.winEXE@1/11@0/0 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_0040206A CoCreateInstance, |
0_2_0040206A |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00404587 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_00404587 |
Source: DHL04AWB01173903102023PDF.scr.exe |
Static file information: File size 1211760 > 1048576 |
Source: |
Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, ContactsApi.dll.0.dr |
Source: |
Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr |
Source: Yara match |
File source: 00000000.00000002.832197103.0000000006825000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_10002D50 push eax; ret |
0_2_10002D7E |
Source: ContactsApi.dll.0.dr |
Static PE information: section name: .nep |
Source: msado25.tlb.0.dr |
Static PE information: 0x8DBA1FD3 [Sun May 7 15:54:59 2045 UTC] |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress, |
0_2_00406207 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
RDTSC instruction interceptor: First address: 0000000006948C31 second address: 0000000006948C31 instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, edx 0x00000004 cmp ecx, edx 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F18C8FF67D2h 0x0000000a test ecx, edx 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e cmp ebx, eax 0x00000010 rdtsc |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00402706 FindFirstFileW, |
0_2_00402706 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_0040572C |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_004061E0 FindFirstFileW,FindClose, |
0_2_004061E0 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress, |
0_2_00406207 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 0_2_00405EBF GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, |
0_2_00405EBF |