Loading ...

Play interactive tourEdit tour

Analysis Report DHL document.exe

Overview

General Information

Sample Name:DHL document.exe
Analysis ID:339038
MD5:5c629d2ad3a45250eebc832c568e9ad0
SHA1:8b32e938bcd05fb40ec673607a4748b4badbd614
SHA256:566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
Tags:AgentTeslaDHLexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • DHL document.exe (PID: 6756 cmdline: 'C:\Users\user\Desktop\DHL document.exe' MD5: 5C629D2AD3A45250EEBC832C568E9AD0)
    • DHL document.exe (PID: 7004 cmdline: {path} MD5: 5C629D2AD3A45250EEBC832C568E9AD0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "pFchlRoNMUTKWto", "URL: ": "https://B2bQlilPZYn20R.org", "To: ": "nado@dicon.md", "ByHost: ": "mail.dicon.md:587", "Password: ": "dVALs", "From: ": "nado@dicon.md"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.238800439.0000000004D46000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.DHL document.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: DHL document.exe.7004.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "pFchlRoNMUTKWto", "URL: ": "https://B2bQlilPZYn20R.org", "To: ": "nado@dicon.md", "ByHost: ": "mail.dicon.md:587", "Password: ": "dVALs", "From: ": "nado@dicon.md"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: DHL document.exeVirustotal: Detection: 38%Perma Link
              Source: DHL document.exeReversingLabs: Detection: 22%
              Machine Learning detection for sampleShow sources
              Source: DHL document.exeJoe Sandbox ML: detected
              Source: 0.2.DHL document.exe.f20000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
              Source: 2.2.DHL document.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeUnpacked PE file: 0.2.DHL document.exe.f20000.0.unpack
              Source: DHL document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: DHL document.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0595964C
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0595B008

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://B2bQlilPZYn20R.org
              Source: global trafficTCP traffic: 192.168.2.3:49745 -> 194.33.40.40:587
              Source: global trafficTCP traffic: 192.168.2.3:49745 -> 194.33.40.40:587
              Source: unknownDNS traffic detected: queries for: mail.dicon.md
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://dicon.md
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://mail.dicon.md
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
              Source: DHL document.exe, 00000002.00000002.600615092.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.D
              Source: DHL document.exe, 00000002.00000002.600615092.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.Dll
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://stPqVp.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: DHL document.exe, 00000000.00000002.245870053.000000000871A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgreta
              Source: DHL document.exe, 00000000.00000002.245870053.000000000871A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: DHL document.exe, 00000000.00000003.215832766.0000000008723000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: DHL document.exe, 00000000.00000003.215701958.0000000008722000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/=
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: DHL document.exe, 00000000.00000003.215386674.0000000008721000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnq
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmp, DHL document.exe, 00000000.00000003.216486611.0000000008713000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
              Source: DHL document.exe, 00000000.00000003.216784260.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Tpq
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
              Source: DHL document.exe, 00000000.00000003.216784260.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmp, DHL document.exe, 00000000.00000003.217255637.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
              Source: DHL document.exe, 00000000.00000003.216486611.0000000008713000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tion
              Source: DHL document.exe, 00000000.00000003.217557117.0000000008722000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmp, DHL document.exe, 00000002.00000002.596777081.0000000002E50000.00000004.00000001.sdmpString found in binary or memory: https://B2bQlilPZYn20R.org
              Source: DHL document.exe, 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 2.2.DHL document.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7614D01Bu002d8E27u002d493Fu002d8C34u002d38287B5DD74Fu007d/u0035248AC47u002dA4ECu002d48FAu002dA67Cu002d832FDDA33A14.csLarge array initialization: .cctor: array initializer size 11921
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: DHL document.exe
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D20480_2_017D2048
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D04800_2_017D0480
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D16900_2_017D1690
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D0F100_2_017D0F10
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D2FA80_2_017D2FA8
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D50780_2_017D5078
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D20380_2_017D2038
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D50880_2_017D5088
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D52C00_2_017D52C0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D52B00_2_017D52B0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D55380_2_017D5538
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D55280_2_017D5528
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D04700_2_017D0470
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D04380_2_017D0438
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D57300_2_017D5730
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D57200_2_017D5720
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D16810_2_017D1681
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D1B480_2_017D1B48
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D1B380_2_017D1B38
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D2F190_2_017D2F19
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D0E880_2_017D0E88
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_059585300_2_05958530
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_059585200_2_05958520
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_059564FC0_2_059564FC
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0A5CF5F80_2_0A5CF5F8
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00E762F02_2_00E762F0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00E7B3782_2_00E7B378
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB00402_2_00EB0040
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB5D582_2_00EB5D58
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB26402_2_00EB2640
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB0F702_2_00EB0F70
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EBE2192_2_00EBE219
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB26392_2_00EB2639
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_028E46A02_2_028E46A0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_028E45B02_2_028E45B0
              Source: DHL document.exeBinary or memory string: OriginalFilename vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs DHL document.exe
              Source: DHL document.exe, 00000000.00000000.210421799.0000000000F22000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameq/f.exeB vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.249202211.0000000009E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGHMJJpHUWTZmSKvshlsLsrIHFDsQNdx.exe4 vs DHL document.exe
              Source: DHL document.exeBinary or memory string: OriginalFilename vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.591586977.0000000000E80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGHMJJpHUWTZmSKvshlsLsrIHFDsQNdx.exe4 vs DHL document.exe
              Source: DHL document.exe, 00000002.00000000.234260071.00000000004E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameq/f.exeB vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.591371215.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.588857554.0000000000978000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL document.exe
              Source: DHL document.exeBinary or memory string: OriginalFilenameq/f.exeB vs DHL document.exe
              Source: DHL document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: DHL document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 2.2.DHL document.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 2.2.DHL document.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
              Source: C:\Users\user\Desktop\DHL document.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL document.exe.logJump to behavior
              Source: DHL document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\DHL document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\DHL document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: DHL document.exeVirustotal: Detection: 38%
              Source: DHL document.exeReversingLabs: Detection: 22%
              Source: unknownProcess created: C:\Users\user\Desktop\DHL document.exe 'C:\Users\user\Desktop\DHL document.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\DHL document.exe {path}
              Source: C:\Users\user\Desktop\DHL document.exeProcess created: C:\Users\user\Desktop\DHL document.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: DHL document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: DHL document.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: DHL document.exeStatic file information: File size 1092608 > 1048576
              Source: DHL document.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10a000
              Source: DHL document.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeUnpacked PE file: 0.2.DHL document.exe.f20000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeUnpacked PE file: 0.2.DHL document.exe.f20000.0.unpack
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_00F23130 pushfd ; ret 0_2_00F23137
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_00F26111 push ebp; retf 0_2_00F26113
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D242A push ebp; retf 0_2_017D243D
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0595C7B4 push edx; ret 0_2_0595C7B5
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0A5C3185 push ebp; iretd 0_2_0A5C3188
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0A5C1543 push edx; retf 0_2_0A5C1544
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_004E6111 push ebp; retf 2_2_004E6113
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_004E3130 pushfd ; ret 2_2_004E3137
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_028EDCB9 push FFFFFF8Bh; iretd 2_2_028EDCBB
              Source: initial sampleStatic PE information: section name: .text entropy: 7.45714176103
              Source: C:\Users\user\Desktop\DHL document.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL document.exe PID: 6756, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\DHL document.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWindow / User API: threadDelayed 6580Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWindow / User API: threadDelayed 3269Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 6760Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 6788Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 6388Thread sleep time: -14757395258967632s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 4604Thread sleep count: 6580 > 30Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 4604Thread sleep count: 3269 > 30Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\DHL document.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB07F0 LdrInitializeThunk,2_2_00EB07F0
              Source: C:\Users\user\Desktop\DHL document.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess created: C:\Users\user\Desktop\DHL document.exe {path}Jump to behavior
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Users\user\Desktop\DHL document.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BEL<