Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping documents 0020398484995500.exe

Overview

General Information

Sample name:DHL Shipping documents 0020398484995500.exe
Analysis ID:1523785
MD5:1506261e1a6e12c9eadfcbe91a859f76
SHA1:061aa09172c0daef3fc975919a02413ab3a6f01e
SHA256:0dc8ced22931e20ec965bc36c06a974016fe223434d9553007b4a6c04973b2cb
Tags:DHLDHLIndonesiaexeuser-ngokoptmp
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33afd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33b6f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33bf9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33c8b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33cf5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33d67:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33dfd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33e8d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30e3d:$s2: GetPrivateProfileString
                • 0x30540:$s3: get_OSFullName
                • 0x31c11:$s5: remove_Key
                • 0x31dd9:$s5: remove_Key
                • 0x32d01:$s6: FtpWebRequest
                • 0x33adf:$s7: logins
                • 0x34051:$s7: logins
                • 0x36d62:$s7: logins
                • 0x36e14:$s7: logins
                • 0x38766:$s7: logins
                • 0x379ae:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: DHL Shipping documents 0020398484995500.exeAvira: detected
                  Found malware configuration
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
                  Multi AV Scanner detection for domain / URL
                  Source: ftp.concaribe.comVirustotal: Detection: 6%Perma Link
                  Source: http://ftp.concaribe.comVirustotal: Detection: 6%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: DHL Shipping documents 0020398484995500.exeReversingLabs: Detection: 34%
                  Source: DHL Shipping documents 0020398484995500.exeVirustotal: Detection: 40%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: DHL Shipping documents 0020398484995500.exeJoe Sandbox ML: detected
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49706 version: TLS 1.2
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 192.185.13.234 192.185.13.234
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.concaribe.com
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://concaribe.com
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.concaribe.com
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: DHL Shipping documents 0020398484995500.exeString found in binary or memory: https://github.com/dnSpy/dnSpy/wiki/Debugging-Unity-Games
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49706 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: DHL Shipping documents 0020398484995500.exe
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 0_2_0149E00C0_2_0149E00C
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FDA2283_2_00FDA228
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FDE7703_2_00FDE770
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FDAAB03_2_00FDAAB0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FD4A583_2_00FD4A58
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FD3E403_2_00FD3E40
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FD41883_2_00FD4188
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7A8B43_2_06A7A8B4
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7A5983_2_06A7A598
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7BDF03_2_06A7BDF0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7DBF03_2_06A7DBF0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A956A03_2_06A956A0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A966C03_2_06A966C0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A9C2403_2_06A9C240
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A923803_2_06A92380
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A9B3003_2_06A9B300
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A97E403_2_06A97E40
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A977603_2_06A97760
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A9E4683_2_06A9E468
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A900403_2_06A90040
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A95DC83_2_06A95DC8
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A900063_2_06A90006
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareGame.dll: vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2049391209.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050654227.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000000.2044424346.0000000000BB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepoiliu.exe. vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513950685.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: OriginalFilenamepoiliu.exe. vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/0@2/2
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMutant created: NULL
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: DHL Shipping documents 0020398484995500.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: DHL Shipping documents 0020398484995500.exeReversingLabs: Detection: 34%
                  Source: DHL Shipping documents 0020398484995500.exeVirustotal: Detection: 40%
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: DHL Shipping documents 0020398484995500.exe, RandomGenerator.cs.Net Code: Polan System.AppDomain.Load(byte[])
                  Source: DHL Shipping documents 0020398484995500.exe, MonoTypeLoaderImpl.cs.Net Code: Load
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateInstance
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateInstanceNoConstructor
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateSZArrayCore
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateArrayCore
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: 0xEB230CD7 [Tue Jan 4 01:26:47 2095 UTC]
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7FEF0 push es; ret 3_2_06A7FEF4
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A73FB7 push 2406B7DAh; retf 3_2_06A73FD5
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: section name: .text entropy: 7.455106876960115
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, Form1.csHigh entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csHigh entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, Form1.csHigh entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csHigh entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, Form1.csHigh entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csHigh entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 1490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 4FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599777Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598058Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597947Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597835Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596078Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595968Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595640Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595526Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595422Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594874Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594547Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594437Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWindow / User API: threadDelayed 2108Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWindow / User API: threadDelayed 7747Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 940Thread sleep count: 2108 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 940Thread sleep count: 7747 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599777s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598796s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598058s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597947s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597835s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595968s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595526s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595093s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594874s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599777Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598058Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597947Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597835Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596078Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595968Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595640Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595526Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595422Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594874Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594547Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594437Jump to behavior
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: ResumeVirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: InitializeVirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: get_VirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: get_MonoVirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: VirtualMachineManager
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4515719034.00000000010AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 5016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 6396, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 5016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 6396, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 5016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 6396, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		141
                  Virtualization/Sandbox Evasion                  		1
                  Credentials in Registry                  		111
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Process Injection                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares2
                  Data from Local System                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS141
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                  Software Packing                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Timestomp                  		DCSync1
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc Filesystem24
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.