Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL document.exe

Overview

General Information

Sample Name:DHL document.exe
Analysis ID:339038
MD5:5c629d2ad3a45250eebc832c568e9ad0
SHA1:8b32e938bcd05fb40ec673607a4748b4badbd614
SHA256:566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
Tags:AgentTeslaDHLexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • DHL document.exe (PID: 6756 cmdline: 'C:\Users\user\Desktop\DHL document.exe' MD5: 5C629D2AD3A45250EEBC832C568E9AD0)
    • DHL document.exe (PID: 7004 cmdline: {path} MD5: 5C629D2AD3A45250EEBC832C568E9AD0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "pFchlRoNMUTKWto", "URL: ": "https://B2bQlilPZYn20R.org", "To: ": "nado@dicon.md", "ByHost: ": "mail.dicon.md:587", "Password: ": "dVALs", "From: ": "nado@dicon.md"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.238800439.0000000004D46000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.DHL document.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: DHL document.exe.7004.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "pFchlRoNMUTKWto", "URL: ": "https://B2bQlilPZYn20R.org", "To: ": "nado@dicon.md", "ByHost: ": "mail.dicon.md:587", "Password: ": "dVALs", "From: ": "nado@dicon.md"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: DHL document.exeVirustotal: Detection: 38%Perma Link
              Source: DHL document.exeReversingLabs: Detection: 22%
              Machine Learning detection for sampleShow sources
              Source: DHL document.exeJoe Sandbox ML: detected
              Source: 0.2.DHL document.exe.f20000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
              Source: 2.2.DHL document.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeUnpacked PE file: 0.2.DHL document.exe.f20000.0.unpack
              Source: DHL document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: DHL document.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0595964C
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0595B008

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://B2bQlilPZYn20R.org
              Source: global trafficTCP traffic: 192.168.2.3:49745 -> 194.33.40.40:587
              Source: global trafficTCP traffic: 192.168.2.3:49745 -> 194.33.40.40:587
              Source: unknownDNS traffic detected: queries for: mail.dicon.md
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://dicon.md
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://mail.dicon.md
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
              Source: DHL document.exe, 00000002.00000002.600615092.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.D
              Source: DHL document.exe, 00000002.00000002.600615092.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.Dll
              Source: DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://stPqVp.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: DHL document.exe, 00000000.00000002.245870053.000000000871A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgreta
              Source: DHL document.exe, 00000000.00000002.245870053.000000000871A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: DHL document.exe, 00000000.00000003.215832766.0000000008723000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: DHL document.exe, 00000000.00000003.215701958.0000000008722000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/=
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: DHL document.exe, 00000000.00000003.215386674.0000000008721000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnq
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmp, DHL document.exe, 00000000.00000003.216486611.0000000008713000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
              Source: DHL document.exe, 00000000.00000003.216784260.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Tpq
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
              Source: DHL document.exe, 00000000.00000003.216784260.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmp, DHL document.exe, 00000000.00000003.217255637.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
              Source: DHL document.exe, 00000000.00000003.216486611.0000000008713000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tion
              Source: DHL document.exe, 00000000.00000003.217557117.0000000008722000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmp, DHL document.exe, 00000002.00000002.596777081.0000000002E50000.00000004.00000001.sdmpString found in binary or memory: https://B2bQlilPZYn20R.org
              Source: DHL document.exe, 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 2.2.DHL document.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7614D01Bu002d8E27u002d493Fu002d8C34u002d38287B5DD74Fu007d/u0035248AC47u002dA4ECu002d48FAu002dA67Cu002d832FDDA33A14.csLarge array initialization: .cctor: array initializer size 11921
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: DHL document.exe
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D20480_2_017D2048
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D04800_2_017D0480
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D16900_2_017D1690
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D0F100_2_017D0F10
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D2FA80_2_017D2FA8
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D50780_2_017D5078
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D20380_2_017D2038
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D50880_2_017D5088
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D52C00_2_017D52C0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D52B00_2_017D52B0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D55380_2_017D5538
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D55280_2_017D5528
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D04700_2_017D0470
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D04380_2_017D0438
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D57300_2_017D5730
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D57200_2_017D5720
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D16810_2_017D1681
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D1B480_2_017D1B48
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D1B380_2_017D1B38
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D2F190_2_017D2F19
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D0E880_2_017D0E88
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_059585300_2_05958530
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_059585200_2_05958520
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_059564FC0_2_059564FC
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0A5CF5F80_2_0A5CF5F8
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00E762F02_2_00E762F0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00E7B3782_2_00E7B378
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB00402_2_00EB0040
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB5D582_2_00EB5D58
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB26402_2_00EB2640
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB0F702_2_00EB0F70
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EBE2192_2_00EBE219
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB26392_2_00EB2639
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_028E46A02_2_028E46A0
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_028E45B02_2_028E45B0
              Source: DHL document.exeBinary or memory string: OriginalFilename vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs DHL document.exe
              Source: DHL document.exe, 00000000.00000000.210421799.0000000000F22000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameq/f.exeB vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.249202211.0000000009E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL document.exe
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGHMJJpHUWTZmSKvshlsLsrIHFDsQNdx.exe4 vs DHL document.exe
              Source: DHL document.exeBinary or memory string: OriginalFilename vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.591586977.0000000000E80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGHMJJpHUWTZmSKvshlsLsrIHFDsQNdx.exe4 vs DHL document.exe
              Source: DHL document.exe, 00000002.00000000.234260071.00000000004E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameq/f.exeB vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.591371215.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL document.exe
              Source: DHL document.exe, 00000002.00000002.588857554.0000000000978000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL document.exe
              Source: DHL document.exeBinary or memory string: OriginalFilenameq/f.exeB vs DHL document.exe
              Source: DHL document.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: DHL document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 2.2.DHL document.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 2.2.DHL document.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
              Source: C:\Users\user\Desktop\DHL document.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL document.exe.logJump to behavior
              Source: DHL document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\DHL document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\DHL document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: DHL document.exeVirustotal: Detection: 38%
              Source: DHL document.exeReversingLabs: Detection: 22%
              Source: unknownProcess created: C:\Users\user\Desktop\DHL document.exe 'C:\Users\user\Desktop\DHL document.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\DHL document.exe {path}
              Source: C:\Users\user\Desktop\DHL document.exeProcess created: C:\Users\user\Desktop\DHL document.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: DHL document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: DHL document.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: DHL document.exeStatic file information: File size 1092608 > 1048576
              Source: DHL document.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10a000
              Source: DHL document.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeUnpacked PE file: 0.2.DHL document.exe.f20000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeUnpacked PE file: 0.2.DHL document.exe.f20000.0.unpack
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_00F23130 pushfd ; ret 0_2_00F23137
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_00F26111 push ebp; retf 0_2_00F26113
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_017D242A push ebp; retf 0_2_017D243D
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0595C7B4 push edx; ret 0_2_0595C7B5
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0A5C3185 push ebp; iretd 0_2_0A5C3188
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 0_2_0A5C1543 push edx; retf 0_2_0A5C1544
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_004E6111 push ebp; retf 2_2_004E6113
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_004E3130 pushfd ; ret 2_2_004E3137
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_028EDCB9 push FFFFFF8Bh; iretd 2_2_028EDCBB
              Source: initial sampleStatic PE information: section name: .text entropy: 7.45714176103
              Source: C:\Users\user\Desktop\DHL document.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL document.exe PID: 6756, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\DHL document.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWindow / User API: threadDelayed 6580Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWindow / User API: threadDelayed 3269Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 6760Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 6788Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 6388Thread sleep time: -14757395258967632s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 4604Thread sleep count: 6580 > 30Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exe TID: 4604Thread sleep count: 3269 > 30Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\DHL document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: DHL document.exe, 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: DHL document.exe, 00000000.00000002.236992432.000000000350D000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\DHL document.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeCode function: 2_2_00EB07F0 LdrInitializeThunk,2_2_00EB07F0
              Source: C:\Users\user\Desktop\DHL document.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeProcess created: C:\Users\user\Desktop\DHL document.exe {path}Jump to behavior
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: DHL document.exe, 00000002.00000002.592066285.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Users\user\Desktop\DHL document.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Users\user\Desktop\DHL document.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.238800439.0000000004D46000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL document.exe PID: 7004, type: MEMORY
              Source: Yara matchFile source: 2.2.DHL document.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\DHL document.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL document.exe PID: 7004, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.238800439.0000000004D46000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL document.exe PID: 7004, type: MEMORY
              Source: Yara matchFile source: 2.2.DHL document.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing23DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DHL document.exe39%VirustotalBrowse
              DHL document.exe23%ReversingLabsWin32.Trojan.Pwsx
              DHL document.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.2.DHL document.exe.f20000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
              2.2.DHL document.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              SourceDetectionScannerLabelLink
              dicon.md0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://B2bQlilPZYn20R.org0%Avira URL Cloudsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/a-d0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://stPqVp.com0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/-cz0%Avira URL Cloudsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://r3.o.lencr.Dll0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cnq0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.fontbureau.comgreta0%Avira URL Cloudsafe
              http://r3.i.lencr.org/050%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/Tpq0%Avira URL Cloudsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/N0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/=0%Avira URL Cloudsafe
              http://r3.o.lencr.D0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://dicon.md0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/q0%Avira URL Cloudsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.monotype.0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://mail.dicon.md0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/tion0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              dicon.md
              		194.33.40.40
              		truetrueunknown
              mail.dicon.md
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://B2bQlilPZYn20R.orgtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1DHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designersGDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/a-dDHL document.exe, 00000000.00000003.216784260.000000000871B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://stPqVp.comDHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/-czDHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://r3.o.lencr.DllDHL document.exe, 00000002.00000002.600615092.00000000066B0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnqDHL document.exe, 00000000.00000003.215386674.0000000008721000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comgretaDHL document.exe, 00000000.00000002.245870053.000000000871A000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://r3.i.lencr.org/05DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/TpqDHL document.exe, 00000000.00000003.216784260.000000000871B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://r3.o.lencr.org0DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.krDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL document.exe, 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://cps.root-x1.letsencrypt.org0DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                              		high
                              http://DynDns.comDynDNSDHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://cps.letsencrypt.org0DHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haDHL document.exe, 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/NDHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/=DHL document.exe, 00000000.00000003.215701958.0000000008722000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://r3.o.lencr.DDHL document.exe, 00000002.00000002.600615092.00000000066B0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmp, DHL document.exe, 00000000.00000003.217255637.000000000871B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/DHL document.exe, 00000000.00000003.215832766.0000000008723000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                                		high
                                http://dicon.mdDHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cnDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlDHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/Y0/DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/qDHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.monotype.DHL document.exe, 00000000.00000003.217557117.0000000008722000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.commDHL document.exe, 00000000.00000002.245870053.000000000871A000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/DHL document.exe, 00000000.00000003.216960659.000000000871B000.00000004.00000001.sdmp, DHL document.exe, 00000000.00000003.216486611.0000000008713000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://mail.dicon.mdDHL document.exe, 00000002.00000002.596699160.0000000002E26000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8DHL document.exe, 00000000.00000002.245898824.0000000008800000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/tionDHL document.exe, 00000000.00000003.216486611.0000000008713000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    194.33.40.40
                                    		unknownMoldova Republic of
                                    		206698AMPLICAMDtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:339038
                                    Start date:13.01.2021
                                    Start time:09:48:17
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 16s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:DHL document.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:28
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 1.2% (good quality ratio 0.6%)
                                    • Quality average: 32.9%
                                    • Quality standard deviation: 37.7%
                                    HCA Information:
                                    • Successful, ratio: 93%
                                    • Number of executed functions: 46
                                    • Number of non-executed functions: 17
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 92.122.144.200, 51.11.168.160, 92.122.213.194, 92.122.213.247, 8.248.139.254, 67.26.81.254, 8.248.113.254, 67.27.157.254, 8.248.135.254, 51.103.5.186, 20.54.26.129, 51.104.139.180, 52.155.217.156
                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:49:16API Interceptor1089x Sleep call for process: DHL document.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    194.33.40.40DHL Tracking.exeGet hashmaliciousBrowse
                                      DHL fill.exeGet hashmaliciousBrowse
                                        BL FOR SHIPMENT_doc.gz.exeGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          AMPLICAMDDHL Tracking.exeGet hashmaliciousBrowse
                                          • 194.33.40.40
                                          DHL fill.exeGet hashmaliciousBrowse
                                          • 194.33.40.40
                                          BL FOR SHIPMENT_doc.gz.exeGet hashmaliciousBrowse
                                          • 194.33.40.40
                                          15#U043e #U0437#U0430#U043a#U0430#U0437#U0435.jsGet hashmaliciousBrowse
                                          • 185.165.242.5

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL document.exe.log
                                          Process:C:\Users\user\Desktop\DHL document.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.450519577624797
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:DHL document.exe
                                          File size:1092608
                                          MD5:5c629d2ad3a45250eebc832c568e9ad0
                                          SHA1:8b32e938bcd05fb40ec673607a4748b4badbd614
                                          SHA256:566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
                                          SHA512:311a877d39f6edab27162139a9ac0517a60284725a8c766d00a81b4d786fa0b59d4c5dd88d6cf873be5b6170d3a2a4ce5c61e30926b3c0a27e20b2abf155c1a4
                                          SSDEEP:24576:hve37f8hNMvbH4NvcP7MEv73i3DiTsRt1GKtijAHk0+QWO:teD8hNMjNQEbi3WE1GNjAHkg
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0._..............0.............n.... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x50bf6e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x5FFE3011 [Tue Jan 12 23:26:09 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add al, byte ptr [eax]
                                          adc byte ptr [eax], al
                                          add byte ptr [eax], al
                                          and byte ptr [eax], al
                                          add byte ptr [eax+00000018h], al
                                          push eax
                                          add byte ptr [eax], al
                                          add byte ptr [eax], 00000000h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add dword ptr [eax], eax
                                          add dword ptr [eax], eax
                                          add byte ptr [eax], al
                                          cmp byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x10bf1c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x618.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x109f740x10a000False0.759986820078data7.45714176103IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x10c0000x6180x800False0.33251953125data3.4919599184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x10e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x10c0a00x388data
                                          RT_MANIFEST0x10c4280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright Overwolf 2011 - 2020
                                          Assembly Version2.159.0.0
                                          InternalNameq.exe
                                          FileVersion2.159.0.0
                                          CompanyNameOverwolf Ltd.
                                          LegalTrademarks
                                          CommentsOverwolf Launcher
                                          ProductNameOverwolfLauncher
                                          ProductVersion2.159.0.0
                                          FileDescriptionOverwolfLauncher
                                          OriginalFilenameq.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 13, 2021 09:51:01.825942993 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:01.902034044 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:01.902193069 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.108988047 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.109482050 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.185610056 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.186029911 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.267008066 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.309504032 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.349914074 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.444653988 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.444685936 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.444696903 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.444849014 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.452533007 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.529319048 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.575144053 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.757524014 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.834646940 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.836457968 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:02.912600040 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:02.913161993 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.003572941 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.004545927 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.080638885 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.081073999 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.157834053 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.158317089 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.234335899 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.237036943 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.237193108 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.237718105 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.237828970 CET49745587192.168.2.3194.33.40.40
                                          Jan 13, 2021 09:51:03.313261986 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.313291073 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.313767910 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.314073086 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.543636084 CET58749745194.33.40.40192.168.2.3
                                          Jan 13, 2021 09:51:03.590858936 CET49745587192.168.2.3194.33.40.40

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 13, 2021 09:49:03.694417000 CET6010053192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:03.745235920 CET53601008.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:04.610464096 CET5319553192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:04.658298969 CET53531958.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:05.386686087 CET5014153192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:05.437436104 CET53501418.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:06.375423908 CET5302353192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:06.423270941 CET53530238.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:07.369059086 CET4956353192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:07.417152882 CET53495638.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:08.194067955 CET5135253192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:08.241970062 CET53513528.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:09.458926916 CET5934953192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:09.506897926 CET53593498.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:10.713337898 CET5708453192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:10.761334896 CET53570848.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:11.676616907 CET5882353192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:11.724546909 CET53588238.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:12.676824093 CET5756853192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:12.724822044 CET53575688.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:13.685590982 CET5054053192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:13.736304045 CET53505408.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:34.834316969 CET5436653192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:34.892573118 CET53543668.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:35.449153900 CET5303453192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:35.497189045 CET53530348.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:41.908828020 CET5776253192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:41.966502905 CET53577628.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:53.200333118 CET5543553192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:53.256689072 CET53554358.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:53.524684906 CET5071353192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:53.583791971 CET53507138.8.8.8192.168.2.3
                                          Jan 13, 2021 09:49:58.342025042 CET5613253192.168.2.38.8.8.8
                                          Jan 13, 2021 09:49:58.402996063 CET53561328.8.8.8192.168.2.3
                                          Jan 13, 2021 09:50:01.186121941 CET5898753192.168.2.38.8.8.8
                                          Jan 13, 2021 09:50:01.250853062 CET53589878.8.8.8192.168.2.3
                                          Jan 13, 2021 09:50:31.712558985 CET5657953192.168.2.38.8.8.8
                                          Jan 13, 2021 09:50:31.760452032 CET53565798.8.8.8192.168.2.3
                                          Jan 13, 2021 09:50:32.170082092 CET6063353192.168.2.38.8.8.8
                                          Jan 13, 2021 09:50:32.234213114 CET53606338.8.8.8192.168.2.3
                                          Jan 13, 2021 09:50:54.551919937 CET6129253192.168.2.38.8.8.8
                                          Jan 13, 2021 09:50:54.600152969 CET53612928.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:01.497750998 CET6361953192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:01.599282980 CET53636198.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:01.614475965 CET6493853192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:01.716131926 CET53649388.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:55.506907940 CET6194653192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:55.566407919 CET53619468.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:56.407442093 CET6491053192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:56.463999987 CET53649108.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:57.180030107 CET5212353192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:57.239193916 CET53521238.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:57.686512947 CET5613053192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:57.745301962 CET53561308.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:58.330986977 CET5633853192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:58.389489889 CET53563388.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:59.010564089 CET5942053192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:59.058460951 CET53594208.8.8.8192.168.2.3
                                          Jan 13, 2021 09:51:59.935642004 CET5878453192.168.2.38.8.8.8
                                          Jan 13, 2021 09:51:59.992357969 CET53587848.8.8.8192.168.2.3
                                          Jan 13, 2021 09:52:01.043257952 CET6397853192.168.2.38.8.8.8
                                          Jan 13, 2021 09:52:01.100410938 CET53639788.8.8.8192.168.2.3
                                          Jan 13, 2021 09:52:02.250788927 CET6293853192.168.2.38.8.8.8
                                          Jan 13, 2021 09:52:02.310050964 CET53629388.8.8.8192.168.2.3
                                          Jan 13, 2021 09:52:03.387768984 CET5570853192.168.2.38.8.8.8
                                          Jan 13, 2021 09:52:03.444245100 CET53557088.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 13, 2021 09:51:01.497750998 CET192.168.2.38.8.8.80x6fffStandard query (0)mail.dicon.mdA (IP address)IN (0x0001)
                                          Jan 13, 2021 09:51:01.614475965 CET192.168.2.38.8.8.80xd98dStandard query (0)mail.dicon.mdA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 13, 2021 09:51:01.599282980 CET8.8.8.8192.168.2.30x6fffNo error (0)mail.dicon.mddicon.mdCNAME (Canonical name)IN (0x0001)
                                          Jan 13, 2021 09:51:01.599282980 CET8.8.8.8192.168.2.30x6fffNo error (0)dicon.md194.33.40.40A (IP address)IN (0x0001)
                                          Jan 13, 2021 09:51:01.716131926 CET8.8.8.8192.168.2.30xd98dNo error (0)mail.dicon.mddicon.mdCNAME (Canonical name)IN (0x0001)
                                          Jan 13, 2021 09:51:01.716131926 CET8.8.8.8192.168.2.30xd98dNo error (0)dicon.md194.33.40.40A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jan 13, 2021 09:51:02.108988047 CET58749745194.33.40.40192.168.2.3220-web2.amplica.net ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 10:51:02 +0200
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Jan 13, 2021 09:51:02.109482050 CET49745587192.168.2.3194.33.40.40EHLO 414408
                                          Jan 13, 2021 09:51:02.185610056 CET58749745194.33.40.40192.168.2.3250-web2.amplica.net Hello 414408 [84.17.52.74]
                                          250-SIZE 83886080
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          Jan 13, 2021 09:51:02.186029911 CET49745587192.168.2.3194.33.40.40STARTTLS
                                          Jan 13, 2021 09:51:02.267008066 CET58749745194.33.40.40192.168.2.3220 TLS go ahead

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: DHL document.exe PID: 6756 Parent PID: 5596

                                          General

                                          Start time:09:49:08
                                          Start date:13/01/2021
                                          Path:C:\Users\user\Desktop\DHL document.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\DHL document.exe'
                                          Imagebase:0xf20000
                                          File size:1092608 bytes
                                          MD5 hash:5C629D2AD3A45250EEBC832C568E9AD0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.236255563.0000000003361000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.238800439.0000000004D46000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: DHL document.exe PID: 7004 Parent PID: 6756

                                          General

                                          Start time:09:49:20
                                          Start date:13/01/2021
                                          Path:C:\Users\user\Desktop\DHL document.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x4e0000
                                          File size:1092608 bytes
                                          MD5 hash:5C629D2AD3A45250EEBC832C568E9AD0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.587585011.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.593469319.0000000002B11000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: DHL document.exe PID: 6756 Parent PID: 5596 DHL document.exeCOMMON

                                            Executed Functions

                                            Function 017D2F19, Relevance: 2.8, Strings: 2, Instructions: 349COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: Q_1T$z7hb
                                            • API String ID: 0-2303893252
                                            • Opcode ID: d83a316e2a7a3295c022015066c7b33ec1ace6269b0f6b8da51b2f753efef066
                                            • Instruction ID: 4d378a74cca4f47f177bb2f1dc916d67cd6fa2efe2c4f075d75aae815f05b602
                                            • Opcode Fuzzy Hash: d83a316e2a7a3295c022015066c7b33ec1ace6269b0f6b8da51b2f753efef066
                                            • Instruction Fuzzy Hash: B5E1ADB5D0460EDFCB04CFA5C4849AEFBB2FF89300B14C599D415AB25AD735AA42CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D2FA8, Relevance: 2.8, Strings: 2, Instructions: 288COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: Q_1T$z7hb
                                            • API String ID: 0-2303893252
                                            • Opcode ID: c071313a0f3b28275521a6d7f0eeab7318b6cc5bfa9d12d3eddecab44ec85dfc
                                            • Instruction ID: ef623a9f05dae35236b433cdb2d7005c74c6adbeab650aa4187b5bcd26bcf78e
                                            • Opcode Fuzzy Hash: c071313a0f3b28275521a6d7f0eeab7318b6cc5bfa9d12d3eddecab44ec85dfc
                                            • Instruction Fuzzy Hash: EBC167B0D0420ADFCB04CFAAC5859AEFBB2FF89300B14D569C516AB314D734AA42CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D1681, Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: w
                                            • API String ID: 0-1398449040
                                            • Opcode ID: 69a323f2eaf442b0b97af94ae82d1908dfddff83cf185bbe7b0490883bda7305
                                            • Instruction ID: c1fc5d78face23ce8a12dab0c246a8693e6a54127658d3376c4dd43e6d42d72a
                                            • Opcode Fuzzy Hash: 69a323f2eaf442b0b97af94ae82d1908dfddff83cf185bbe7b0490883bda7305
                                            • Instruction Fuzzy Hash: 4B513B74E052098FCB08CFAAC5446AEFBF2FF88310F14C16AD519A7255D7348A41CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D1690, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: w
                                            • API String ID: 0-1398449040
                                            • Opcode ID: baf8926ea63b8324ac5984f7cab6c4a6d94afafaa9c6c6040731c6aee47b4535
                                            • Instruction ID: f44e43c6a359fae3f2097efa3671343d20a1594f097ef71324305438d8f535a8
                                            • Opcode Fuzzy Hash: baf8926ea63b8324ac5984f7cab6c4a6d94afafaa9c6c6040731c6aee47b4535
                                            • Instruction Fuzzy Hash: 4D5128B4E012098FDB08CFAAC5446AEFBF2FF88310F14C56AD519A7254DB349A02CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D0E88, Relevance: .3, Instructions: 272COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aacbb456bab7ca6c98a7b9ea00f95edcfbe04927007123ba5d74aebccd2b1c03
                                            • Instruction ID: dedae83b8a9c3d656d2e8cbcfa1aa3c9c290d0012f6e49c5a3791c256b34d5e1
                                            • Opcode Fuzzy Hash: aacbb456bab7ca6c98a7b9ea00f95edcfbe04927007123ba5d74aebccd2b1c03
                                            • Instruction Fuzzy Hash: 1DB14474E0424D8FDB05CFA9D8446EEFBF2BF89310F24946AE415AB259D7309946CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D0F10, Relevance: .2, Instructions: 195COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd09b0d6dec2f062adaf9ff0df6b412066f895a41756f958e67e67f762236ca8
                                            • Instruction ID: 1ba39b9ada95a29caec88c9a225de247a42da2ce32e439e3719f301a4a9748f5
                                            • Opcode Fuzzy Hash: bd09b0d6dec2f062adaf9ff0df6b412066f895a41756f958e67e67f762236ca8
                                            • Instruction Fuzzy Hash: 1881C274E002198FDB58CFE9C984AEEFBB2BF89300F24946AD519AB354D7309946CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D0438, Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fed19cf510e7f3ec977f1f2d29616bebfaa1086b66b13fb6f4980fcadc6d512
                                            • Instruction ID: 4940eff037a8e51fe02d371e447938046e00a76827dbfeef300ce682cda4329e
                                            • Opcode Fuzzy Hash: 7fed19cf510e7f3ec977f1f2d29616bebfaa1086b66b13fb6f4980fcadc6d512
                                            • Instruction Fuzzy Hash: 55213071E116488FDB59CFABA8046DEFBF3EFCA210F05C17AD918A6269DB3405018F11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D2048, Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9510619e0a10caa0685c40090dd4385c31738a03a252177a0e1f9aa51685399a
                                            • Instruction ID: 3ba54c09537bdc4c059d6742097cbde7046417c8dbe67427152feae0aa8d395c
                                            • Opcode Fuzzy Hash: 9510619e0a10caa0685c40090dd4385c31738a03a252177a0e1f9aa51685399a
                                            • Instruction Fuzzy Hash: A021F571E006188BEB18CFABD8443DEFBB7AFC9310F14C16AD908A6259DB341956CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D0480, Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b158a960dc6ae1020d1ba16f5691d1756214b36a3be3745eb8dade190a61516a
                                            • Instruction ID: 3f82217101769a93bfb1d9a4eba19c9c66a184f2db0d4445a1ef6cebe67e6771
                                            • Opcode Fuzzy Hash: b158a960dc6ae1020d1ba16f5691d1756214b36a3be3745eb8dade190a61516a
                                            • Instruction Fuzzy Hash: BB21C971E006188BEB58CFABD84079EFBF7EFC9200F05C5BAD918A6214EB3019568F51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D2038, Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b618c5e364ce2b63bb98e7005dc359d4df7248161581bae06b2eb65b2c50c27
                                            • Instruction ID: 86fe5608f9a6bae632efd6d0cb622a4b321a9b0c59053c7c6b4e065f6cd02cf5
                                            • Opcode Fuzzy Hash: 5b618c5e364ce2b63bb98e7005dc359d4df7248161581bae06b2eb65b2c50c27
                                            • Instruction Fuzzy Hash: 9B21E5B1E016588BDB19CFAAD9447DEBBF3AFC9310F14C16AD408AA259DB341946CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05955951, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 059559C0
                                            • GetCurrentThread.KERNEL32 ref: 059559FD
                                            • GetCurrentProcess.KERNEL32 ref: 05955A3A
                                            • GetCurrentThreadId.KERNEL32 ref: 05955A93
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: cc946dfae5e109b1febd7afca906d0740b0daac0926d7366e7cb9e12b81c5b35
                                            • Instruction ID: 22390cda9429328d244c3d2630ee66721276579202ccdf3239d3bb2529b91b78
                                            • Opcode Fuzzy Hash: cc946dfae5e109b1febd7afca906d0740b0daac0926d7366e7cb9e12b81c5b35
                                            • Instruction Fuzzy Hash: 235152B09047498FDB14DFAAD988B9EBBF4BF48324F248459E409AB391C7346844CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05955960, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 059559C0
                                            • GetCurrentThread.KERNEL32 ref: 059559FD
                                            • GetCurrentProcess.KERNEL32 ref: 05955A3A
                                            • GetCurrentThreadId.KERNEL32 ref: 05955A93
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 8707f5182af1137dfdccd63d6bf4ac70bb3e7e116bdc9a0e56bf97ee80f14c04
                                            • Instruction ID: dc8868ec7ff3d656e9c33e15becf638330732366e012d3c6258584ca323fc289
                                            • Opcode Fuzzy Hash: 8707f5182af1137dfdccd63d6bf4ac70bb3e7e116bdc9a0e56bf97ee80f14c04
                                            • Instruction Fuzzy Hash: 135152B09047498FDB14DFAAD988B9EBBF4FB88324F248459E409AB351C7346844CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05953530, Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(?), ref: 059537A2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: abdad4e827d2fb4452d330b48e25faa63763e2222549645d21afb35a0d4d0c59
                                            • Instruction ID: 776930ce7cc7afb09fc4e98ec6689d1f032ac581a5c22d3bf12521584b260c8d
                                            • Opcode Fuzzy Hash: abdad4e827d2fb4452d330b48e25faa63763e2222549645d21afb35a0d4d0c59
                                            • Instruction Fuzzy Hash: E5912570A007099FDB24DF69D084B9ABBF5BF88254F00892DE84AE7750D734E815CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0595A12D, Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0595A2F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 42dae9b0b62ec2becbeed1269a2fc615912791e1686a1ec5959eb68fd2684d56
                                            • Instruction ID: 7fb5b2b2feb8c03096c2805442a0082aeda3a8b1ced937e9bb69f8eb5984ac55
                                            • Opcode Fuzzy Hash: 42dae9b0b62ec2becbeed1269a2fc615912791e1686a1ec5959eb68fd2684d56
                                            • Instruction Fuzzy Hash: 0D7199B4D042589FCF20CFA9C884ADEBBB1BB49314F1491AAE948B7211D7349A85CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0595A138, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0595A2F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 9c09300b9c65542d7d64f8457550af699eced767b096f3d01e5d3a8c697a44fa
                                            • Instruction ID: 8eff2bf2856dd0a77b5b7d6310a01fd4f53e0bc74f8af99c91964b385b600d9a
                                            • Opcode Fuzzy Hash: 9c09300b9c65542d7d64f8457550af699eced767b096f3d01e5d3a8c697a44fa
                                            • Instruction Fuzzy Hash: 6D7187B4D04218DFCF20CFA9C884ADEBBF1BB09314F1491AAE948B7211D730AA85CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017DBCC0, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 017DD669
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 1daef9ce940a1aef014f68ce15470fc9dda2eedcb5b84ac59d0f65a03ee92a11
                                            • Instruction ID: 2493b3f4b13b24f31b6bb95f40556511b8affd5ec06a76347904de90a6ceaf04
                                            • Opcode Fuzzy Hash: 1daef9ce940a1aef014f68ce15470fc9dda2eedcb5b84ac59d0f65a03ee92a11
                                            • Instruction Fuzzy Hash: C751C375D0462CCFDB20DFA4C880BDEBBB5BF45304F1180A9E509AB251DB716A89CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05955B80, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05955C53
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 27e92d5815e177ac93bffd42a9d1e081437ef2bd02ce1857be8cf41d77307198
                                            • Instruction ID: 228692085ec665e97eb52299c6fa8136303a250e25e1dfd8e0be16d68f67ceab
                                            • Opcode Fuzzy Hash: 27e92d5815e177ac93bffd42a9d1e081437ef2bd02ce1857be8cf41d77307198
                                            • Instruction Fuzzy Hash: C24175B9D012489FCF00CFA9D984ADEBBF4BB19320F14942AE818AB210D335A955CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05955B88, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05955C53
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5dfbf1d08eb12fec88fdba5448309435c9cccf19ed4a1231b9db32085e9bb076
                                            • Instruction ID: 43f192570f923111f73e31cb5127368754ff69f4bde128e64dea3617599338b6
                                            • Opcode Fuzzy Hash: 5dfbf1d08eb12fec88fdba5448309435c9cccf19ed4a1231b9db32085e9bb076
                                            • Instruction Fuzzy Hash: 844188B9D002589FCF00CFA9D984ADEBBF4BB09320F14902AE918BB310D335A955CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D7E38, Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 017D7EE7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: f29b1874b1cff607bbdf5dbdd0a756c9e4ab10fa689bce08305d1561bfb09089
                                            • Instruction ID: 24279f5c8bf8116ef3342389caf07953f96c29553e5f6156b19985d0f0713f97
                                            • Opcode Fuzzy Hash: f29b1874b1cff607bbdf5dbdd0a756c9e4ab10fa689bce08305d1561bfb09089
                                            • Instruction Fuzzy Hash: E731B8B9D042589FCF10CFA9E880AEEFBF0AB59314F24942AE814B7310C335A945CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05959704, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0595C961
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: ce0cf97ac1cd21631b3837770083eb48c78f30d9da5aeb3e57f56c243fea8a68
                                            • Instruction ID: 456e56176cde8f7b5b3e138ce473fa1cd229f6e4d5bbff210b056067232ade8a
                                            • Opcode Fuzzy Hash: ce0cf97ac1cd21631b3837770083eb48c78f30d9da5aeb3e57f56c243fea8a68
                                            • Instruction Fuzzy Hash: EF414BB8900305CFCB14DF99C488AAABBF9FF88324F25C459E919A7311D774A841CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05952F68, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05953ACA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: d993364332a865071b8fc77dc1d603eb65a8dedd463c66332900e96990dec80f
                                            • Instruction ID: c2a96773b69430e6250f54a688fb94c9d58c2bf2a127476b7da458984811749d
                                            • Opcode Fuzzy Hash: d993364332a865071b8fc77dc1d603eb65a8dedd463c66332900e96990dec80f
                                            • Instruction Fuzzy Hash: 184199B4D042589FCF10CFAAD484A9EFBF5BB49324F14942AE819B7310D335A945CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05953A18, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05953ACA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 25d313588d107e6d9455c2edbbc1e0d3fc79e84e0f8267a18dd773149cdeed86
                                            • Instruction ID: e2b03bad50266350be6bafa3e9171dbc3d2dcc1f74ec7e74e52ec1033edbe2c7
                                            • Opcode Fuzzy Hash: 25d313588d107e6d9455c2edbbc1e0d3fc79e84e0f8267a18dd773149cdeed86
                                            • Instruction Fuzzy Hash: E74197B4D042589FCF10CFAAD884ADEFBF5BB49324F14942AE819BB210D335A946CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D7E40, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 017D7EE7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: b80b81b2ca4c94c99d9f8160c74387cdd54e4e06372f077d08eab9afd81d5980
                                            • Instruction ID: 7afe3db76c113080a92f7436f52f7b90709de1ac2a4518c06525263392120b93
                                            • Opcode Fuzzy Hash: b80b81b2ca4c94c99d9f8160c74387cdd54e4e06372f077d08eab9afd81d5980
                                            • Instruction Fuzzy Hash: F431A7B8D042589FCF10CFA9E880ADEFBB0AB09314F24902AE814B7210C735A945CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0595A459, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0595A4EE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: ff16ce515a926b3145725c0cc7101e9614f09e35807f7cfb1884ca6d61fd6af8
                                            • Instruction ID: 94960fc5de381b756b94e1d48b38bacf4ea63fd471009266ea97decc31de74d3
                                            • Opcode Fuzzy Hash: ff16ce515a926b3145725c0cc7101e9614f09e35807f7cfb1884ca6d61fd6af8
                                            • Instruction Fuzzy Hash: 4F31A8B9D012189FCB10CFA9D984ADEFBF4BB49320F14912AE815B7310D375A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05953710, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(?), ref: 059537A2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 4be526b6cc0616c2a37a2fe26fbeb75c967068b3134cb8dfca1d2813c9486d15
                                            • Instruction ID: 85cbab0f5e65d0af0bd1b6d9820c760ff9a3890423aeef6fdec6167a1b7bafe5
                                            • Opcode Fuzzy Hash: 4be526b6cc0616c2a37a2fe26fbeb75c967068b3134cb8dfca1d2813c9486d15
                                            • Instruction Fuzzy Hash: CB3199B4D042489FCB14CFA9D484ADEFBF5AB49324F18846AE818B7310D374A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0595A460, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0595A4EE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 6f562297571b0e62dc688ce5f322773b1bf32cc5f9152dbe53eb789130d65bc8
                                            • Instruction ID: dcf36258085368038a8fd49107ba157426e297d94cc7290f4a9ec990aedd2c19
                                            • Opcode Fuzzy Hash: 6f562297571b0e62dc688ce5f322773b1bf32cc5f9152dbe53eb789130d65bc8
                                            • Instruction Fuzzy Hash: A93197B9D012189FCB10CFA9D984ADEFBF4BB49320F14952AE819B7310D375A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0A5CF5F8, Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.249809576.000000000A5C0000.00000040.00000001.sdmp, Offset: 0A5C0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: W\u$W\u
                                            • API String ID: 0-772192558
                                            • Opcode ID: 3dc2791a9c6f04c61ac5aa8cb4339a324fee278e002e521219e3e5ad3dbfda45
                                            • Instruction ID: e7a6b2b116bf29a4fc395befc6eeeceedfe1602400c43bc832fc43ff91b6394d
                                            • Opcode Fuzzy Hash: 3dc2791a9c6f04c61ac5aa8cb4339a324fee278e002e521219e3e5ad3dbfda45
                                            • Instruction Fuzzy Hash: 24313C70E116199FDB18CFAAD880BAEF7B3FBC8300F14C56AD508A7259EB3459458F51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05958530, Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee371437783e3eb15e08ac89cd6520c5f10b4ab8d31a091009db91055001e6ab
                                            • Instruction ID: 0ea74b8056c080e35d03f8f2842d38ded4b60dbe797eee219db678c3e1b0e1a7
                                            • Opcode Fuzzy Hash: ee371437783e3eb15e08ac89cd6520c5f10b4ab8d31a091009db91055001e6ab
                                            • Instruction Fuzzy Hash: EA12A0F1411B468BE334CF65E99818A3FA1B745338F91C20CD2616BAD9D7B8126ECF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059564FC, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 924924c3dd7694b7eb1428092af484cddbd63a0551e285e19f9ac322d8f2df31
                                            • Instruction ID: d25ebff575868c60006de0c09949a55554bd3c5045c9fed79a7430cc576ae0e4
                                            • Opcode Fuzzy Hash: 924924c3dd7694b7eb1428092af484cddbd63a0551e285e19f9ac322d8f2df31
                                            • Instruction Fuzzy Hash: E8A16D32E00219CFCF15DFA5C8449AEB7B6FF85310B15856AE905AB225EB31E955CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05958520, Relevance: .2, Instructions: 227COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e61167977e0ab419fe60ebc6a0aac236ad19e994ae6cbe6a1aa15bd4c910b95a
                                            • Instruction ID: 2db3cd10cdbc54989789f0d269c058b6eefe826e3092c22e7d371a2de808236a
                                            • Opcode Fuzzy Hash: e61167977e0ab419fe60ebc6a0aac236ad19e994ae6cbe6a1aa15bd4c910b95a
                                            • Instruction Fuzzy Hash: 16C117B18117468BD724CF65E88818A7FB1BB85338F51C30DD2616BAD8D7B4126ECF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D52B0, Relevance: .2, Instructions: 169COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca7c0d50d0fec05562fa0d04d3d21c608b32d1df421b1751ee56e6b683e1bd21
                                            • Instruction ID: 95e980c81d5f2a23d827267f45f5e5a559534f34eaadd08ccd82bb36d53d9b23
                                            • Opcode Fuzzy Hash: ca7c0d50d0fec05562fa0d04d3d21c608b32d1df421b1751ee56e6b683e1bd21
                                            • Instruction Fuzzy Hash: 6171F474E0560D8FCB04CFA9D9809EEFBF2EF89214F68946AD415BB324D7349A418F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D1B38, Relevance: .2, Instructions: 167COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc915817d362e163024cd3c01061919ec3c238a4c139909ba83d1ef3174553b1
                                            • Instruction ID: 2454b909a66cd886ea21c67ea58ec37f116cac510552908ab13296364b043274
                                            • Opcode Fuzzy Hash: fc915817d362e163024cd3c01061919ec3c238a4c139909ba83d1ef3174553b1
                                            • Instruction Fuzzy Hash: 83610574E0520ADFCB04CF99D4809AEFBF2FB89310F54856AE515AB215D7349A82CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D52C0, Relevance: .2, Instructions: 167COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a4b167703f576ab537ef99219f67f9586ffb92c6b712dcac9d04cb57ed0627d
                                            • Instruction ID: 4c65d00ec7a010d1f2ee47900840a56c81b488c7878589badb62d438bd996253
                                            • Opcode Fuzzy Hash: 8a4b167703f576ab537ef99219f67f9586ffb92c6b712dcac9d04cb57ed0627d
                                            • Instruction Fuzzy Hash: AB61F274E0560DCFCB04CFA9D9809EEFBF2FB89214F64A46AD415BB314D7709A418B68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D1B48, Relevance: .2, Instructions: 165COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bdba0f956a4b6fe4e7de54503348b47d85648a77d082755e620229382b1eed7d
                                            • Instruction ID: d8f7a26774056e929193121f82e0c5e570be2f57714122aecacecc137330c297
                                            • Opcode Fuzzy Hash: bdba0f956a4b6fe4e7de54503348b47d85648a77d082755e620229382b1eed7d
                                            • Instruction Fuzzy Hash: 44611674E0520ADFCB04CF99D5809EEFBB2FB89310F548569D515AB314D7349A82CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D5528, Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c1912e586f06484d66ad5e6d7a2a7ab03412b681b505f4604f3ebfb543aec8d
                                            • Instruction ID: 6379988b9a65046de92e0ff140cdb065b7668c187be7af70574523e57b8ca88c
                                            • Opcode Fuzzy Hash: 1c1912e586f06484d66ad5e6d7a2a7ab03412b681b505f4604f3ebfb543aec8d
                                            • Instruction Fuzzy Hash: B85105B0E0524A8FCB09CFA9C5814AEFFB2FF89310F64C5AAC405EB215D7349A418F91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D5730, Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e25a96d7b4b57f9f13d9c36678b2b4fdf4f71992c7faec41de5f71390de7385e
                                            • Instruction ID: 0f2d454715d5351ca0d304937e5ad1682312dc0859b86dc31408e3376a034adb
                                            • Opcode Fuzzy Hash: e25a96d7b4b57f9f13d9c36678b2b4fdf4f71992c7faec41de5f71390de7385e
                                            • Instruction Fuzzy Hash: DE513771E056188BDB68CF6BD94479EFBF3BFC9200F14C1AA950CA6254EB301A858F51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D5720, Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31f3cf1f151cd2f2af0d5a2cd99f792b8726193f1d0d160478e4eb84b64184f2
                                            • Instruction ID: 4e76ecd890d45ab061e6686e6caceecb0e2da11744223ffcb9d6528bd33d4ca5
                                            • Opcode Fuzzy Hash: 31f3cf1f151cd2f2af0d5a2cd99f792b8726193f1d0d160478e4eb84b64184f2
                                            • Instruction Fuzzy Hash: 4A5149B1E016198FDB68CF6BC94469EFBF3BFC9200F14C1AAD50CAA265DB301A458F11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D5078, Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 837ae0d9a7ca6198601d07294e9889c56777679bcd96baa2ac3cc95b900c2ba1
                                            • Instruction ID: 31989441941d630dbc442414f610630b60ea002300def76e3d2b3931afc2d87e
                                            • Opcode Fuzzy Hash: 837ae0d9a7ca6198601d07294e9889c56777679bcd96baa2ac3cc95b900c2ba1
                                            • Instruction Fuzzy Hash: 464104B0E0560E9FCB08CFAAC8815AEFBF2FF89300F24D46AC415A7255D7349A418F94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D5538, Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 341999f2661b1ce50dd60aa3e728782901b22bba94c008e2e63c983dd1642573
                                            • Instruction ID: 8894d7c2d66b0b1952c269447c07382b51591a65fa7f35d2e97d8ea4edd66dd3
                                            • Opcode Fuzzy Hash: 341999f2661b1ce50dd60aa3e728782901b22bba94c008e2e63c983dd1642573
                                            • Instruction Fuzzy Hash: 3E41D4B0E0560E9FCB48CFA9C5815AEFBB2BF88310F64D56AC505BB214D7349A41CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D5088, Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4477410183ebea86f55e50921b53dc1908148e8a0d4d62b516d4f2d91437fc77
                                            • Instruction ID: 2d8b3186fd146248f45df65cd50fea8478dec1750da68276cf5e09ee9e675f7f
                                            • Opcode Fuzzy Hash: 4477410183ebea86f55e50921b53dc1908148e8a0d4d62b516d4f2d91437fc77
                                            • Instruction Fuzzy Hash: 8E4105B1E0560EDFCB08CFAAC5815AEFBF2BF88300F24D46AC515A7254D7349A418F94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0595964C, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7887ac8460a93219faa737766c6391f0a8a7309c80bb14e8c299a2009c1f753f
                                            • Instruction ID: 8773f0118ee4a411ac965821b391050d4e3bdf08649e5a4e7a629feab03776b1
                                            • Opcode Fuzzy Hash: 7887ac8460a93219faa737766c6391f0a8a7309c80bb14e8c299a2009c1f753f
                                            • Instruction Fuzzy Hash: C631A8B4D052089FCB10CFA9D984ADEFBF5BB49320F24902AE815B7310D375A955CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0595B008, Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.241770942.0000000005950000.00000040.00000001.sdmp, Offset: 05950000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e931531d2719d24b708e522416fe0428d4968017cef9c46d61f214e9d2795754
                                            • Instruction ID: 6774a3ea8f166fca7850cc1f7bfbf31d1a2545b1a39e1a9fee9fd90b38ab3bc6
                                            • Opcode Fuzzy Hash: e931531d2719d24b708e522416fe0428d4968017cef9c46d61f214e9d2795754
                                            • Instruction Fuzzy Hash: 4131A9B5D012589FCB10CFA9E584ADEFBF1BB49320F14902AE815B7310D375A949CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 017D0470, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.236043636.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7944fc96c005f4502e47ebdef68d4d7e91615694e294727af9e2794cfd076512
                                            • Instruction ID: 044db0efa7e72e1d95d9fd8a716e9a61eeeb401ad762a222ad8092d5d7aa6fef
                                            • Opcode Fuzzy Hash: 7944fc96c005f4502e47ebdef68d4d7e91615694e294727af9e2794cfd076512
                                            • Instruction Fuzzy Hash: 8621BD71E016189BEB58CFAB98006DEFBF3AFC9200F15C57AD818A6255DB3445568F11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: DHL document.exe PID: 7004 Parent PID: 6756 DHL document.exeCOMMON

                                            Executed Functions

                                            Function 00EB5D58, Relevance: 2.2, APIs: 1, Instructions: 680COMMON
                                            Download Yara Rule
                                            APIs
                                            • AnimateWindow.USER32(00000000,00000001,00000000), ref: 00EB5DFF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591700174.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                            Similarity
                                            • API ID: AnimateWindow
                                            • String ID:
                                            • API String ID: 646619712-0
                                            • Opcode ID: aaf301ba41c805dc4576a812eb468d7723b98d403b0ae055d583d6c7b1db0a1d
                                            • Instruction ID: f2731003ab6e0b8a5d47392573d530e7c53ebc0b5a89f325d4ad68810bbce988
                                            • Opcode Fuzzy Hash: aaf301ba41c805dc4576a812eb468d7723b98d403b0ae055d583d6c7b1db0a1d
                                            • Instruction Fuzzy Hash: 2532E131F042449BEB24AB68C8957EFB6E3AB85714F198469F50AFF3D1CA78CC418791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EB07F0, Relevance: 1.7, APIs: 1, Instructions: 205libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591700174.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 15092d7ece5bf487fd8004d2a294032ca0259213987783f490c1215cc40ea13e
                                            • Instruction ID: 3e253ecd9fcdf1ac32af16275dbbc1819f132b085836ccd2098784a806e20f2f
                                            • Opcode Fuzzy Hash: 15092d7ece5bf487fd8004d2a294032ca0259213987783f490c1215cc40ea13e
                                            • Instruction Fuzzy Hash: 0E714A34A003099FDB14EBB4D858BAFB7F6AF84305F108969E406A7395DF74AC49CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 028E69A0
                                            • GetCurrentThread.KERNEL32 ref: 028E69DD
                                            • GetCurrentProcess.KERNEL32 ref: 028E6A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 028E6A73
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 2784725cc629ce24fbf0d459400f9346ce1a63666f3f700b255f9daa7ceea974
                                            • Instruction ID: dc9fe5e2d2bcafc81a75fb930e8414a1729d2d006ca85197e4e2279b15223ef4
                                            • Opcode Fuzzy Hash: 2784725cc629ce24fbf0d459400f9346ce1a63666f3f700b255f9daa7ceea974
                                            • Instruction Fuzzy Hash: E25166B4E007488FDB14DFAAC648B9EBBF4EF99318F208499E409A7350D7749884CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028ED7E8, Relevance: 1.6, APIs: 1, Instructions: 145windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: Message
                                            • String ID:
                                            • API String ID: 2030045667-0
                                            • Opcode ID: 772fd856ef6dd26c7cdc281839ad84a94aaf83f29a9fb75c8fc87342727086f4
                                            • Instruction ID: 3ed28640c1ae74fcba13776eecd8409132828c8e05c73187563ca63bee1d1136
                                            • Opcode Fuzzy Hash: 772fd856ef6dd26c7cdc281839ad84a94aaf83f29a9fb75c8fc87342727086f4
                                            • Instruction Fuzzy Hash: 7B41363DB082258FDF185A75489437A77EE9B86608F184879E85BDB381DB74CC0D8361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EBDE28, Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591700174.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c64887531f2b928b37efc136f74756d45e803d7f2ce9188e6303a6476bdd0949
                                            • Instruction ID: 9f33d094b59a6140212fb39c5e81334e0c2485850be20a6f09da82daa72bf169
                                            • Opcode Fuzzy Hash: c64887531f2b928b37efc136f74756d45e803d7f2ce9188e6303a6476bdd0949
                                            • Instruction Fuzzy Hash: F4412772E083558FCB00DFB9C8446DEBBF4AF89314F05856AE409BB241EB749944CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E5084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028E51A2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 9b0c92df6b36557661638968572ec19f9396e5b43a9f1e8c76583f471c332a36
                                            • Instruction ID: 21622db1e29e083abdcacde4477767890c928798a1aa8c1de81ca56fc6bd92dc
                                            • Opcode Fuzzy Hash: 9b0c92df6b36557661638968572ec19f9396e5b43a9f1e8c76583f471c332a36
                                            • Instruction Fuzzy Hash: E451E0B5D003499FDF14CFA9C984ADEFBB1BF88314F64822AE819AB210D7749945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028E51A2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 7c0c322f663c0a419dbfdbb8c2d9bd64103ed8d77babcb0fc6da08fa608ae34d
                                            • Instruction ID: f00105ed6dc300a530a8e26f3895bcc271f511ef9ad901b8eb2c6b8a29a58617
                                            • Opcode Fuzzy Hash: 7c0c322f663c0a419dbfdbb8c2d9bd64103ed8d77babcb0fc6da08fa608ae34d
                                            • Instruction Fuzzy Hash: DA41E0B5D003489FDF14CF99C984ADEBBB5BF88314F64812AE819AB210D7749945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 028E7F01
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 5055bb8836cd741a00326937636173f8dc6f362628c723ce0901e76a4a06c502
                                            • Instruction ID: 85ba99cd3f18a6d44710dc9cb44b3e528cf7dec4e9841b273c2db27abe8e25fe
                                            • Opcode Fuzzy Hash: 5055bb8836cd741a00326937636173f8dc6f362628c723ce0901e76a4a06c502
                                            • Instruction Fuzzy Hash: DD411BB8A00309CFCB14DF99C488AAAFBF5FF89314F148499E519AB311D774A841CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028EC109, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 028EC192
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 76db346a71c2ff8c9283df0e67c5b5300e40cf93e0d1529cf781053b599ec574
                                            • Instruction ID: 533eaef8f4aec4a697f417b9500d4d52ac7951696ed243477423327bc93864a5
                                            • Opcode Fuzzy Hash: 76db346a71c2ff8c9283df0e67c5b5300e40cf93e0d1529cf781053b599ec574
                                            • Instruction Fuzzy Hash: F331CFB99083898FDB11DF69E4483EEBFF4AB46318F24845AD48AE7242C7795409CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E6B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028E6BEF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: d3cceb871a43f115fd25776ed6301d046b0ebffe9d87f1164d5e300000922528
                                            • Instruction ID: 1d38119a28c92b3ca519e99cac4d701c5653ec949f87fd4f5378bf7ee146eee0
                                            • Opcode Fuzzy Hash: d3cceb871a43f115fd25776ed6301d046b0ebffe9d87f1164d5e300000922528
                                            • Instruction Fuzzy Hash: C82114B59002489FDF10CFA9D984AEEBBF4FB48324F14801AE914A7311D378A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028E6BEF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 43bf9d2d3abc70b9e191b8ec7d0ff31c9e8162b078ebffb84dd0e16a2990de9c
                                            • Instruction ID: 1e3f91755d4f6d39db097f34f24b20c40a2a590b80c7e54357131bd0697ac659
                                            • Opcode Fuzzy Hash: 43bf9d2d3abc70b9e191b8ec7d0ff31c9e8162b078ebffb84dd0e16a2990de9c
                                            • Instruction Fuzzy Hash: 9F21F3B59002489FDF10CFAAD984ADEFBF8FB48324F14841AE919A7310D374A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E335E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 028E4116
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 873e45fcd99956edf724defa407ea05d89ed0484d18939da16ec01193e13d5a7
                                            • Instruction ID: 219f1c1c1fce071dcef71fc33a7d83020cee78c3448be5474b15c8ddabad4f04
                                            • Opcode Fuzzy Hash: 873e45fcd99956edf724defa407ea05d89ed0484d18939da16ec01193e13d5a7
                                            • Instruction Fuzzy Hash: 962144B9C042498FCF10DF9AC884B9EBBF4FB8A314F15806AD45AB7601D374A905CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EBC8D4, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00EBDE7A), ref: 00EBDF67
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591700174.0000000000EB0000.00000040.00000001.sdmp, Offset: 00EB0000, based on PE: false
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: f38ab9e63cf483d7d8a9c7f4f44df442d5fc91cece51cb6acb5e3fb988a244c7
                                            • Instruction ID: a0d3e001c44ffe280f137e71a91cf8f4cb49b13308fa4b4faeae1e1b140fd808
                                            • Opcode Fuzzy Hash: f38ab9e63cf483d7d8a9c7f4f44df442d5fc91cece51cb6acb5e3fb988a244c7
                                            • Instruction Fuzzy Hash: E91147B1D086199BCB10DFAAC8447EEFBF4EB48324F14812AE418B7240D378A944CFE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E76454, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,00E77679,00000800), ref: 00E7770A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591546814.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 592a51a351954229abbadbfb7b9a8c2fe29f83b263352b0dbb6ade8b92945e9d
                                            • Instruction ID: acaa07266f290ba500dff3aefef5904f01165e773a5345013897186b1fddf787
                                            • Opcode Fuzzy Hash: 592a51a351954229abbadbfb7b9a8c2fe29f83b263352b0dbb6ade8b92945e9d
                                            • Instruction Fuzzy Hash: 041114B69043498FCB10DFAAC484BDEFBF4EB88364F10842AE459B7600C375A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028EC118, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 028EC192
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 0d993ea4d413cb2414f2855fc68a42201062e82ca2a82f6c24b9f6ae62111d1f
                                            • Instruction ID: d297ae83e56fcc62bc971ca1e9d7d74e6a4be4ec6bca25077c011ecdcda2b20f
                                            • Opcode Fuzzy Hash: 0d993ea4d413cb2414f2855fc68a42201062e82ca2a82f6c24b9f6ae62111d1f
                                            • Instruction Fuzzy Hash: 921147B59047498FDF10EFAAC54879EBBF4EB45324F20842AE40AB3641D739A504CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E77699, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,00E77679,00000800), ref: 00E7770A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591546814.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: ce5c3f5c18dac00b1df66a9baf5a7f08e8e5e4a43e7827aaddb214d4751c1e58
                                            • Instruction ID: 5b1295f95bbce00bbfe96df462b141628bc5824c142e70110229df8f50e6cded
                                            • Opcode Fuzzy Hash: ce5c3f5c18dac00b1df66a9baf5a7f08e8e5e4a43e7827aaddb214d4751c1e58
                                            • Instruction Fuzzy Hash: 111112B69042498FCB10CFAAC584BDEFBF4AB88324F14842EE459B7600C375A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E40AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 028E4116
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 4f70ffe783af4e5ee27d1e357487739f730ef98d01972251d7081552dec7dace
                                            • Instruction ID: cdfea416c1d327a77b77cb330fb59ade1b0f430a44e74fe52d345a50d2f092dd
                                            • Opcode Fuzzy Hash: 4f70ffe783af4e5ee27d1e357487739f730ef98d01972251d7081552dec7dace
                                            • Instruction Fuzzy Hash: 321134B9C002498FCF10CF9AC444ACEFBF4EB89324F14816AD419B7600D378A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 028E3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 028E4116
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.592172271.00000000028E0000.00000040.00000001.sdmp, Offset: 028E0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 00872f6c7dc8bf2c65455e52d8cab8abca372335931d4126e01d643efda315cc
                                            • Instruction ID: 46d92fbf2d064bfddf720edee64684a16dba340dc3e068dc8b3bbe678617c2c5
                                            • Opcode Fuzzy Hash: 00872f6c7dc8bf2c65455e52d8cab8abca372335931d4126e01d643efda315cc
                                            • Instruction Fuzzy Hash: 2111F0B9D046498BCF20DF9AC444BDEFBF4EB89324F10846AD81AB7600D375A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7A248, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 00E7B1B5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591546814.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 7882e968faea789b70e007d56d6726cd806342484254b6a2b071ce6c7b2a50af
                                            • Instruction ID: 8940ffa63f15a1e5179b22a1101a2966adcba95231a47fe595e7b39471525007
                                            • Opcode Fuzzy Hash: 7882e968faea789b70e007d56d6726cd806342484254b6a2b071ce6c7b2a50af
                                            • Instruction Fuzzy Hash: DD1103B59046488FCB10DF9AC588BDFBBF8EB48324F108459E519B7700D374A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7B158, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 00E7B1B5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.591546814.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 5681b9762c58c08227dd14e10311a149f27d229895763c72e9a4b032463f8dda
                                            • Instruction ID: 33347ea5e2619b468207525dc59547abebecd2838a9efb511caecdf1b77a883d
                                            • Opcode Fuzzy Hash: 5681b9762c58c08227dd14e10311a149f27d229895763c72e9a4b032463f8dda
                                            • Instruction Fuzzy Hash: 7A1100B5900249CFCB20DFA9C588BCEBBF4AB48324F14855AE558B7600D379A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions