Source: Yara match |
File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR |
Source: DHL04AWB01173903102023PDF.scr.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: mshtml.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp |
Source: |
Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, ContactsApi.dll.1.dr, nseB51F.tmp.1.dr |
Source: |
Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
Source: |
Binary string: mshtml.pdbUGP source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_00402706 FindFirstFileW, |
1_2_00402706 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
1_2_0040572C |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_004061E0 FindFirstFileW,FindClose, |
1_2_004061E0 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000003.5959642741.00000000047A3000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000003.5959642741.00000000047A3000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp |
String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference. |
Source: DHL04AWB01173903102023PDF.scr.exe, Chirming.scr.4.dr |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://s2.symcb.com0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://sv.symcb.com/sv.crl0f |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://sv.symcd.com0& |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp |
String found in binary or memory: http://www.gopher.ftp://ftp. |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000626000.00000020.00000001.01000000.00000008.sdmp |
String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://www.nero.com |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://www.symauth.com/cps0( |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: http://www.symauth.com/rpa00 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.00000000005F2000.00000020.00000001.01000000.00000008.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.00000000005F2000.00000020.00000001.01000000.00000008.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/ |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000003.5959642741.00000000047A3000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/attachments/503469199062990850/1085873812794523729/NxXRtUXfgqSkIuV181.bin |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com/t |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp |
String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_00405290 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
1_2_00405290 |
Source: Yara match |
File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ |
Source: ContactsApi.dll.1.dr |
String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ |
Source: nseB51F.tmp.1.dr |
String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ |
Source: DHL04AWB01173903102023PDF.scr.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
1_2_0040331C |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000000.5630222194.000000000044E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029EC000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameDefConvertor.DLL vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5982708695.0000000000409000.00000004.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000000.5843482212.000000000044E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe |
Source: DHL04AWB01173903102023PDF.scr.exe |
Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe |
Source: unknown |
Process created: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
|
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process created: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
|
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process created: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_00404587 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
1_2_00404587 |
Source: |
Binary string: mshtml.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp |
Source: |
Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, ContactsApi.dll.1.dr, nseB51F.tmp.1.dr |
Source: |
Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.5984634399.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, APM_DefConvertor.dll.1.dr, nseB51F.tmp.1.dr |
Source: |
Binary string: mshtml.pdbUGP source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000001.5844146219.0000000000649000.00000020.00000001.01000000.00000008.sdmp |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\AppData\Local\Temp\Slbemaalsflyvningers\Chirming.scr |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\AppData\Local\Temp\nsbBACD.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File created: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes C:\Users\user\AppData\Local\Temp\Slbemaalsflyvningers\Chirming.scr |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes C:\Users\user\AppData\Local\Temp\Slbemaalsflyvningers\Chirming.scr |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Postkassernes |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_00402706 FindFirstFileW, |
1_2_00402706 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
1_2_0040572C |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_004061E0 FindFirstFileW,FindClose, |
1_2_004061E0 |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
API call chain: ExitProcess graph end node |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicshutdown |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicvss |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp, DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.000000000478D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000001.00000002.6038796953.0000000010059000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicheartbeat |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerU2\ |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager2\ |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716826508.000000000479E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerU2\:D |
Source: DHL04AWB01173903102023PDF.scr.exe, 00000004.00000002.10716301559.0000000004728000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.dr |
Binary or memory string: [Program Manager] |
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe |
Code function: 1_2_00405EBF GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, |
1_2_00405EBF |
Source: Yara match |
File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR |
Source: Yara match |
File source: 00000004.00000002.10716301559.0000000004772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: DHL04AWB01173903102023PDF.scr.exe PID: 3372, type: MEMORYSTR |