Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Recibo de entrega de DHL.exe

Overview

General Information

Sample Name:Recibo de entrega de DHL.exe
Analysis ID:358255
MD5:335a69ee25155d53f6df46c020aa90cd
SHA1:cbecea1d93ff376b6a7f5ea72c191d4020372344
SHA256:66dd2c7ac2b0bc7b604efa99f21a828da26c15a366a2e809e23b82dda44b63dd
Tags:DHLESPexegeo
Infos:

Most interesting Screenshot:

Detection

404Keylogger AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected 404Keylogger
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large strings
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "moin.ansari@sapgroup.com.pk", "ByHost: ": "mail.sapgroup.com.pk:587", "Password: ": "", "From: ": "moin.ansari@sapgroup.com.pk"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
    00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmpJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
      00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
          00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x17588:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1693a:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x16db0:$a4: \Orbitum\User Data\Default\Login Data
            0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpackJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
              0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.Recibo de entrega de DHL.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x19388:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x1873a:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x18bb0:$a4: \Orbitum\User Data\Default\Login Data
                5.2.Recibo de entrega de DHL.exe.400000.0.unpackJoeSecurity_404KeyloggerYara detected 404KeyloggerJoe Security
                  Click to see the 10 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: Recibo de entrega de DHL.exe.2912.5.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "moin.ansari@sapgroup.com.pk", "ByHost: ": "mail.sapgroup.com.pk:587", "Password: ": "", "From: ": "moin.ansari@sapgroup.com.pk"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Recibo de entrega de DHL.exeVirustotal: Detection: 31%Perma Link
                  Source: Recibo de entrega de DHL.exeReversingLabs: Detection: 12%
                  Machine Learning detection for sampleShow sources
                  Source: Recibo de entrega de DHL.exeJoe Sandbox ML: detected
                  Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen

                  Compliance:

                  barindex
                  Uses 32bit PE filesShow sources
                  Source: Recibo de entrega de DHL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                  Source: Recibo de entrega de DHL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                  Networking:

                  barindex
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: global trafficTCP traffic: 192.168.2.4:49738 -> 95.215.225.23:587
                  Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
                  Source: Joe Sandbox ViewIP Address: 95.215.225.23 95.215.225.23
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: global trafficTCP traffic: 192.168.2.4:49738 -> 95.215.225.23:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906675983.0000000002DDD000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org41k
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.905948918.0000000001189000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpString found in binary or memory: http://mail.sapgroup.com.pk
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpString found in binary or memory: http://sapgroup.com.pk
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Recibo de entrega de DHL.exeString found in binary or memory: http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.642797524.0000000006118000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640725684.000000000611B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.640696140.000000000611B000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640811691.000000000611B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643616679.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nl-nj
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
                  Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/xt
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://myip.dnsomatic.com9====
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://pastebin.com/api/api_login.php
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://pastebin.com/api/api_login.phpJhttps://pastebin.com/api/api_post.php
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://pastebin.com/api/api_post.php
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected 404KeyloggerShow sources
                  Source: Yara matchFile source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE
                  Installs a global keyboard hookShow sources
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Recibo de entrega de DHL.exeJump to behavior

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  .NET source code contains very large stringsShow sources
                  Source: Recibo de entrega de DHL.exe, Form1.csLong String: Length: 13656
                  Source: 0.0.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.csLong String: Length: 13656
                  Source: 0.2.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.csLong String: Length: 13656
                  Source: 4.2.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.csLong String: Length: 13656
                  Source: 4.0.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.csLong String: Length: 13656
                  Source: 5.0.Recibo de entrega de DHL.exe.9f0000.0.unpack, Form1.csLong String: Length: 13656
                  Source: 5.2.Recibo de entrega de DHL.exe.9f0000.1.unpack, Form1.csLong String: Length: 13656
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 0_2_00A0ADD90_2_00A0ADD9
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 0_2_02CBC1480_2_02CBC148
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 0_2_02CBA7580_2_02CBA758
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 0_2_05895FB80_2_05895FB8
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 4_2_0031ADD94_2_0031ADD9
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_009FADD95_2_009FADD9
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_02BA27285_2_02BA2728
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_02BAB4B85_2_02BAB4B8
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_02BAD4F05_2_02BAD4F0
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_02BABD885_2_02BABD88
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_02BAB1705_2_02BAB170
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_02BA6FA05_2_02BA6FA0
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelilba.exe4 vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.667225265.0000000007720000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.659157889.0000000000A5E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000004.00000002.656059575.000000000036E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.905582160.0000000000A4E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.905614308.0000000000BE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.905770245.0000000000F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.905508557.000000000041E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamelilba.exe4 vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exeBinary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
                  Source: Recibo de entrega de DHL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Recibo de entrega de DHL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ???W???W????????W???u??yy???W??W????????Wu???.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: Recibo de entrega de DHL.exe, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                  Source: 0.0.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                  Source: 0.2.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                  Source: 4.2.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                  Source: 4.0.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                  Source: 5.0.Recibo de entrega de DHL.exe.9f0000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                  Source: 5.2.Recibo de entrega de DHL.exe.9f0000.1.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@4/3
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Recibo de entrega de DHL.exe.logJump to behavior
                  Source: Recibo de entrega de DHL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: Recibo de entrega de DHL.exeVirustotal: Detection: 31%
                  Source: Recibo de entrega de DHL.exeReversingLabs: Detection: 12%
                  Source: unknownProcess created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe 'C:\Users\user\Desktop\Recibo de entrega de DHL.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exeJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exeJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Recibo de entrega de DHL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Recibo de entrega de DHL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Recibo de entrega de DHL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                  Data Obfuscation:

                  barindex
                  Binary contains a suspicious time stampShow sources
                  Source: initial sampleStatic PE information: 0xA3A09597 [Thu Dec 28 06:24:23 2056 UTC]
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 0_2_00A07F72 push 00000000h; iretd 0_2_00A07FBC
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 4_2_00317F72 push 00000000h; iretd 4_2_00317FBC
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeCode function: 5_2_009F7F72 push 00000000h; iretd 5_2_009F7FBC
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.51567311339
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM_3Show sources
                  Source: Yara matchFile source: 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.2d79518.1.raw.unpack, type: UNPACKEDPE
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeWindow / User API: threadDelayed 544Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeWindow / User API: threadDelayed 4143Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 7012Thread sleep time: -101883s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 6604Thread sleep count: 544 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -99625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 6604Thread sleep count: 4143 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -99515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -99406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -99281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -99171s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -99062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98513s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98296s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -98078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97968s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97421s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -97093s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -96984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  .NET source code references suspicious native API functionsShow sources
                  Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ???WW?????????????????????????W?W????????????.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                  Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ?W?W???????WW???W???W??????WyW????uy????????u.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeMemory written: C:\Users\user\Desktop\Recibo de entrega de DHL.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exeJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeProcess created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exeJump to behavior
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Users\user\Desktop\Recibo de entrega de DHL.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Users\user\Desktop\Recibo de entrega de DHL.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected 404KeyloggerShow sources
                  Source: Yara matchFile source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE

                  Remote Access Functionality:

                  barindex
                  Yara detected 404KeyloggerShow sources
                  Source: Yara matchFile source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsNative API1Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Security Software Discovery11Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2Input Capture11Virtualization/Sandbox Evasion2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information21Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Recibo de entrega de DHL.exe31%VirustotalBrowse
                  Recibo de entrega de DHL.exe13%ReversingLabsWin32.Trojan.AgentTesla
                  Recibo de entrega de DHL.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  5.2.Recibo de entrega de DHL.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File

                  Domains

                  SourceDetectionScannerLabelLink
                  sapgroup.com.pk0%VirustotalBrowse
                  checkip.dyndns.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.jiyu-kobo.co.jp/nl-nj0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp/A0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cnT0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/10%Avira URL Cloudsafe
                  http://checkip.dyndns.org41k0%Avira URL Cloudsafe
                  http://mail.sapgroup.com.pk0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  https://myip.dnsomatic.com9====0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://checkip.dyndns.org/0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/10%URL Reputationsafe
                  http://checkip.dyndns.org/q0%Avira URL Cloudsafe
                  http://www.fonts.comn0%URL Reputationsafe
                  http://www.fonts.comn0%URL Reputationsafe
                  http://www.fonts.comn0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/N0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/xt0%Avira URL Cloudsafe
                  http://checkip.dyndns.com0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd0%Avira URL Cloudsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/S0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/N0%Avira URL Cloudsafe
                  http://checkip.dyndns.org0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/E0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/A0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.fontbureau.come.com0%URL Reputationsafe
                  http://www.fontbureau.come.com0%URL Reputationsafe
                  http://www.fontbureau.come.com0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://sapgroup.com.pk0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/w0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Y0-0%Avira URL Cloudsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/es-e0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  sapgroup.com.pk
                  		95.215.225.23
                  		truetrueunknown
                  checkip.dyndns.com
                  		131.186.113.70
                  		truefalseunknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrue
                    		unknown
                    mail.sapgroup.com.pk
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.jiyu-kobo.co.jp/nl-njRecibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersGRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/jp/ARecibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/botRecibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnTRecibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/1Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://checkip.dyndns.org41kRecibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                		high
                                http://mail.sapgroup.com.pkRecibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comRecibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssRecibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/-czRecibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://myip.dnsomatic.com9====Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.founder.com.cn/cn/cTheRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/1Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://checkip.dyndns.org/qRecibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comnRecibo de entrega de DHL.exe, 00000000.00000003.640696140.000000000611B000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640811691.000000000611B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/NRecibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640725684.000000000611B000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/xtRecibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://checkip.dyndns.comRecibo de entrega de DHL.exe, 00000005.00000002.906675983.0000000002DDD000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRecibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/NorthWindAzureForInsertsDataSet.xsdRecibo de entrega de DHL.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Recibo de entrega de DHL.exe, 00000000.00000003.642797524.0000000006118000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                          		high
                                          https://sectigo.com/CPS0Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/SRecibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/NRecibo de entrega de DHL.exe, 00000000.00000003.643616679.000000000610C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://pastebin.com/api/api_post.phpRecibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgRecibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/ERecibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/ARecibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.come.comRecibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                              		high
                                              http://sapgroup.com.pkRecibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/wRecibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cnRecibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmlRecibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                                		high
                                                https://pastebin.com/api/api_login.phpRecibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/Y0-Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comoRecibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/es-eRecibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://pastebin.com/api/api_login.phpJhttps://pastebin.com/api/api_post.phpRecibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmpfalse
                                                      		high

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      131.186.113.70
                                                      		unknownUnited States
                                                      		33517DYNDNSUSfalse
                                                      95.215.225.23
                                                      		unknownUnited Kingdom
                                                      		9009M247GBtrue

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:358255
                                                      Start date:25.02.2021
                                                      Start time:11:00:21
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 9m 9s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:Recibo de entrega de DHL.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:18
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@5/2@4/3
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 0.5% (good quality ratio 0.1%)
                                                      • Quality average: 14%
                                                      • Quality standard deviation: 25.1%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 36
                                                      • Number of non-executed functions: 4
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 52.113.196.254, 51.104.139.180, 13.107.3.254, 13.107.246.254, 13.64.90.137, 13.88.21.125, 92.122.145.220, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 104.43.139.144, 52.255.188.83, 92.122.213.247, 92.122.213.194, 104.42.151.234
                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      11:01:11API Interceptor27x Sleep call for process: Recibo de entrega de DHL.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      131.186.113.70proposal-Copy.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      0020210089.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      SAL-0908889000.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      URGENT RFQ 45253.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Shipping Documents and Conditions Certificate.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      PAYMENT MT103-SWIFT.PDF.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      PRODUCT ENQUIRY ( 21001025 ) PART NO EPN518.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      IMG_0352_Scanned.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Message Body Content.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Consignment Invoice PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      PO202100046.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Order.docGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      v2.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      95.215.225.23Purchase Order N#U00c2#U00b0 EQ 0010-0121.exeGet hashmaliciousBrowse
                                                        http://bazaarkonections.com/admin/li.exeGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Trojan.PackedNET.453.28860.exeGet hashmaliciousBrowse
                                                            Order83941.xlsxGet hashmaliciousBrowse
                                                              DHL Shipment Notification Document 9671450633.exeGet hashmaliciousBrowse
                                                                PO_3409_129.exeGet hashmaliciousBrowse
                                                                  DHL Delivery Reciept.exeGet hashmaliciousBrowse
                                                                    PO no.0107-320804-1.exeGet hashmaliciousBrowse
                                                                      Bank Transfer Form -pdf- .exeGet hashmaliciousBrowse
                                                                        OC 07082020 DOC.exeGet hashmaliciousBrowse
                                                                          Purchase Order RCM No. 0445-20.exeGet hashmaliciousBrowse
                                                                            HI2003-02.exeGet hashmaliciousBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              checkip.dyndns.comPayment.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              proposal-Copy.exeGet hashmaliciousBrowse
                                                                              • 131.186.113.70
                                                                              RFQ CSDOK202040890.exeGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              0020210089.exeGet hashmaliciousBrowse
                                                                              • 131.186.113.70
                                                                              SAL-0908889000.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              SWIFT 500395Y.exeGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              Message Body.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              PaymentSwift.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.70
                                                                              Halkbank_Ekstre_20210224_082357_541079.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.70
                                                                              ditcrypted.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              Original Invoice PL&BL Draft.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              PAYMENT MT103-SWIFT.jarGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              SWIFT 500395H.exeGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              Groupo Dani Order_pdf.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              PO98000000090.jarGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              Telex Transfer.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              New_ Order.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              URGENT RFQ 45253.exeGet hashmaliciousBrowse
                                                                              • 131.186.113.70
                                                                              SOA JAN 2021.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              HUIBAO PROFORMA INVOICE 07092021.jarGet hashmaliciousBrowse
                                                                              • 216.146.43.71

                                                                              ASN

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              DYNDNSUSPayment.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              proposal-Copy.exeGet hashmaliciousBrowse
                                                                              • 131.186.113.70
                                                                              RFQ CSDOK202040890.exeGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              0020210089.exeGet hashmaliciousBrowse
                                                                              • 131.186.113.70
                                                                              SAL-0908889000.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              SWIFT 500395Y.exeGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              Message Body.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              PaymentSwift.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.70
                                                                              Halkbank_Ekstre_20210224_082357_541079.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.70
                                                                              ditcrypted.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              Original Invoice PL&BL Draft.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              PAYMENT MT103-SWIFT.jarGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              SWIFT 500395H.exeGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              Groupo Dani Order_pdf.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              PO98000000090.jarGet hashmaliciousBrowse
                                                                              • 131.186.161.70
                                                                              Telex Transfer.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              New_ Order.exeGet hashmaliciousBrowse
                                                                              • 162.88.193.70
                                                                              URGENT RFQ 45253.exeGet hashmaliciousBrowse
                                                                              • 131.186.113.70
                                                                              SOA JAN 2021.exeGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              HUIBAO PROFORMA INVOICE 07092021.jarGet hashmaliciousBrowse
                                                                              • 216.146.43.71
                                                                              M247GBdocument-1021586454.xlsGet hashmaliciousBrowse
                                                                              • 37.10.71.186
                                                                              document-1021586454.xlsGet hashmaliciousBrowse
                                                                              • 37.10.71.186
                                                                              VKH2kBDk59.exeGet hashmaliciousBrowse
                                                                              • 185.158.250.134
                                                                              XP 6.xlsxGet hashmaliciousBrowse
                                                                              • 46.243.248.149
                                                                              Attached file.exeGet hashmaliciousBrowse
                                                                              • 185.206.225.51
                                                                              file.htmlGet hashmaliciousBrowse
                                                                              • 185.189.112.202
                                                                              file.htmlGet hashmaliciousBrowse
                                                                              • 185.189.112.202
                                                                              4hW0TZqN01.exeGet hashmaliciousBrowse
                                                                              • 172.94.120.39
                                                                              LdOgPDsMEf.exeGet hashmaliciousBrowse
                                                                              • 46.243.248.168
                                                                              mawlare.exeGet hashmaliciousBrowse
                                                                              • 37.120.145.208
                                                                              mawlare.exeGet hashmaliciousBrowse
                                                                              • 37.120.145.208
                                                                              ORDER FRD91PM7.xlsxGet hashmaliciousBrowse
                                                                              • 38.132.109.186
                                                                              ORDER FRD91PM7.xlsxGet hashmaliciousBrowse
                                                                              • 38.132.109.186
                                                                              QgWarCS5Z4.exeGet hashmaliciousBrowse
                                                                              • 192.71.227.60
                                                                              0zwHgf4MZ6.exeGet hashmaliciousBrowse
                                                                              • 192.71.227.60
                                                                              WlgBUuBdZm.exeGet hashmaliciousBrowse
                                                                              • 192.71.227.60
                                                                              7gRAlM4oGO.exeGet hashmaliciousBrowse
                                                                              • 192.71.227.60
                                                                              u67dk4vpoS.exeGet hashmaliciousBrowse
                                                                              • 172.94.120.13
                                                                              EeA8OHCoXT.exeGet hashmaliciousBrowse
                                                                              • 188.72.85.37
                                                                              cCkuGVM3Sk.exeGet hashmaliciousBrowse
                                                                              • 188.72.85.37

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Recibo de entrega de DHL.exe.log
                                                                              Process:C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1594
                                                                              Entropy (8bit):5.336334182031907
                                                                              Encrypted:false
                                                                              SSDEEP:48:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHsAmHK2HKSHKKHKs:lrq5qXEwCYqhQnoPtIxHeqzNM/q2qSqY
                                                                              MD5:B9E8D9BC061D6715808BB3A28CECBA2B
                                                                              SHA1:6F18CD63C12AEC962D089F215658FD5BE1789BC3
                                                                              SHA-256:716E082F23E093EBCA2C8F994745CC7D62457D7359BBE555B75E275CE8EEEDC7
                                                                              SHA-512:6D97D3E34CBCC5C0CCF845E285F98DE1824A825AB1D306D20ED164B0B74270CED9AB694E40831EC796E9F823BB4E369166006E555D7BBD000A33A0FDA601F806
                                                                              Malicious:true
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                              C:\Users\user\Documents\Results.txt
                                                                              Process:C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):288
                                                                              Entropy (8bit):4.198812223020965
                                                                              Encrypted:false
                                                                              SSDEEP:6:KkiStv82FZ6vayIuboluzj1hviX/++L8P:KkD82FcvabuMczxV0ZL8P
                                                                              MD5:70ADC435E0D206FE7953E8045B4F01B2
                                                                              SHA1:836F13823BB9B17CFBBD5D475E45312DBAB0B2F1
                                                                              SHA-256:B89EB51318C18F9AC5253D3AEE6DB79F0520F835CAC3F96D8513D6F59D5EDE5C
                                                                              SHA-512:5910E939DD0D9F9F301DC352262453AD48120D3EA3AC8F33123542834CA32741FF55B55465282B73C9D7FAE2BD53762CFDCC02ADCF52E89867443AAF4323EFBC
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview: |------- Results - Passwords -------|..------- + INFO + -------....IP: 84.17.52.78....Owner Name: 216041..OS Name: Microsoft Windows 10 Pro..OS Version: 6.2.9200.0..OS PlatForm: Win32NT..RAM Size: 8.00 GB..-------------------------............---------------------------------------------

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.498081225430686
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:Recibo de entrega de DHL.exe
                                                                              File size:375296
                                                                              MD5:335a69ee25155d53f6df46c020aa90cd
                                                                              SHA1:cbecea1d93ff376b6a7f5ea72c191d4020372344
                                                                              SHA256:66dd2c7ac2b0bc7b604efa99f21a828da26c15a366a2e809e23b82dda44b63dd
                                                                              SHA512:5169363ca9bbfbec00e718891976b84ff488065dcc59466517b97e241afba882e5ab0afbfa4c20ba6186feafe2f8af6175aa10c194fb5124b59155db11751d3a
                                                                              SSDEEP:6144:5lAsmm9PRXvDUtDCpewbzTwrp41W386OvsDfYt7Yt6AECul1CRtA3I/mqV7Uw86w:5l1VvAOYwbY4ksDWY2t2lf3I/mqVc6eF
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P.................. ........@.. ....................... ............@................................

                                                                              File Icon

                                                                              Icon Hash:00828e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x45ceb2
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                              Time Stamp:0xA3A09597 [Thu Dec 28 06:24:23 2056 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:v4.0.30319
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x5ce600x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x5ac.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x5ce440x1c.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000x5aeb80x5b000False0.784244076236data7.51567311339IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x5e0000x5ac0x600False0.427083333333data4.12323823165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x600000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_VERSION0x5e0900x31cdata
                                                                              RT_MANIFEST0x5e3bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Version Infos

                                                                              DescriptionData
                                                                              Translation0x0000 0x04b0
                                                                              LegalCopyrightCopyright 2020 - 2021
                                                                              Assembly Version6.4.0.2
                                                                              InternalNamec.exe
                                                                              FileVersion6.4.0.2
                                                                              CompanyName
                                                                              LegalTrademarks
                                                                              Comments
                                                                              ProductNameTable Adapter
                                                                              ProductVersion6.4.0.2
                                                                              FileDescriptionTable Adapter
                                                                              OriginalFilenamec.exe

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Feb 25, 2021 11:01:16.038970947 CET4973380192.168.2.4131.186.113.70
                                                                              Feb 25, 2021 11:01:16.099210978 CET8049733131.186.113.70192.168.2.4
                                                                              Feb 25, 2021 11:01:16.099385023 CET4973380192.168.2.4131.186.113.70
                                                                              Feb 25, 2021 11:01:16.100343943 CET4973380192.168.2.4131.186.113.70
                                                                              Feb 25, 2021 11:01:16.160640001 CET8049733131.186.113.70192.168.2.4
                                                                              Feb 25, 2021 11:01:16.161358118 CET8049733131.186.113.70192.168.2.4
                                                                              Feb 25, 2021 11:01:16.161370993 CET8049733131.186.113.70192.168.2.4
                                                                              Feb 25, 2021 11:01:16.161622047 CET4973380192.168.2.4131.186.113.70
                                                                              Feb 25, 2021 11:01:16.162894011 CET4973380192.168.2.4131.186.113.70
                                                                              Feb 25, 2021 11:01:16.223095894 CET8049733131.186.113.70192.168.2.4
                                                                              Feb 25, 2021 11:01:27.077466011 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:27.135459900 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:27.135607958 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.086750984 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.087178946 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.145792961 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.146311045 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.209126949 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.255218029 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.266223907 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.339159966 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.339201927 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.339221954 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.339235067 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.339402914 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.343007088 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.395538092 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.453963041 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.505286932 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.692831039 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.750773907 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.774352074 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.832658052 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.833832026 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.912627935 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.913449049 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:28.972265005 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:28.973018885 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.053078890 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.053668022 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.114078999 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.116148949 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.116372108 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.116487026 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.116584063 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.116826057 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.116910934 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.116976976 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.117052078 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:01:29.174374104 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.174437046 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.175268888 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.175314903 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.175347090 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.175359011 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.175373077 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.175384045 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.177833080 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:01:29.224147081 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:03:06.436250925 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:03:06.495474100 CET5874973895.215.225.23192.168.2.4
                                                                              Feb 25, 2021 11:03:06.495695114 CET49738587192.168.2.495.215.225.23
                                                                              Feb 25, 2021 11:03:06.610343933 CET49738587192.168.2.495.215.225.23

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Feb 25, 2021 11:00:57.786119938 CET6524853192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:00:57.834882975 CET53652488.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:00:57.862214088 CET5372353192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:00:57.911875010 CET53537238.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:00:58.114581108 CET6464653192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:00:58.163386106 CET53646468.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:00:58.343087912 CET6529853192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:00:58.392647028 CET53652988.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:00:58.456630945 CET5912353192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:00:58.508207083 CET53591238.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:00.365006924 CET5453153192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:00.425132036 CET53545318.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:00.852611065 CET4971453192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:00.911444902 CET53497148.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:01.691351891 CET5802853192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:01.740298033 CET53580288.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:03.453221083 CET5309753192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:03.502044916 CET53530978.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:04.835719109 CET4925753192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:04.884881020 CET53492578.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:06.250749111 CET6238953192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:06.310662031 CET53623898.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:07.639112949 CET4991053192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:07.690696001 CET53499108.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:08.828963995 CET5585453192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:08.880951881 CET53558548.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:12.284008026 CET6454953192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:12.333422899 CET53645498.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:13.464890957 CET6315353192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:13.516590118 CET53631538.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:15.877588987 CET5299153192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:15.926315069 CET53529918.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:15.945533037 CET5370053192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:16.001646996 CET53537008.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:16.659176111 CET5172653192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:16.707952976 CET53517268.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:18.119863987 CET5679453192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:18.168627977 CET53567948.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:20.756002903 CET5653453192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:20.804708004 CET53565348.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:22.978992939 CET5662753192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:23.027931929 CET53566278.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:26.425578117 CET5662153192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:26.573837996 CET53566218.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:26.868973970 CET6311653192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:27.075436115 CET53631168.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:32.071819067 CET6407853192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:32.120655060 CET53640788.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:47.278043985 CET6480153192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:47.348462105 CET53648018.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:47.897427082 CET6172153192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:47.971132040 CET53617218.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:48.510493994 CET5125553192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:48.511616945 CET6152253192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:48.568732977 CET53615228.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:48.578937054 CET53512558.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:49.014527082 CET5233753192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:49.071497917 CET53523378.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:49.603048086 CET5504653192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:49.686888933 CET53550468.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:50.278206110 CET4961253192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:50.335593939 CET53496128.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:50.919239044 CET4928553192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:50.976711035 CET53492858.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:51.756167889 CET5060153192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:51.816200972 CET53506018.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:52.792056084 CET6087553192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:52.850532055 CET53608758.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:52.907953024 CET5644853192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:52.965240955 CET53564488.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:53.143224955 CET5917253192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:53.192209959 CET53591728.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:53.437369108 CET6242053192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:53.497195959 CET53624208.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:56.012857914 CET6057953192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:56.061723948 CET53605798.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:01:57.801331043 CET5018353192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:01:57.850121975 CET53501838.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:06.442682028 CET6153153192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:06.494203091 CET53615318.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:06.902120113 CET4922853192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:06.973751068 CET53492288.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:13.079725981 CET5979453192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:13.138896942 CET53597948.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:21.658520937 CET5591653192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:21.707285881 CET53559168.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:22.440157890 CET5275253192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:22.491825104 CET53527528.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:23.797410011 CET6054253192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:23.849209070 CET53605428.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:46.085253954 CET6068953192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:46.137064934 CET53606898.8.8.8192.168.2.4
                                                                              Feb 25, 2021 11:02:47.596141100 CET6420653192.168.2.48.8.8.8
                                                                              Feb 25, 2021 11:02:47.667078972 CET53642068.8.8.8192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Feb 25, 2021 11:01:15.877588987 CET192.168.2.48.8.8.80xa838Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:15.945533037 CET192.168.2.48.8.8.80xa261Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:26.425578117 CET192.168.2.48.8.8.80x1f79Standard query (0)mail.sapgroup.com.pkA (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:26.868973970 CET192.168.2.48.8.8.80xdc2fStandard query (0)mail.sapgroup.com.pkA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Feb 25, 2021 11:01:15.926315069 CET8.8.8.8192.168.2.40xa838No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                              Feb 25, 2021 11:01:15.926315069 CET8.8.8.8192.168.2.40xa838No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:15.926315069 CET8.8.8.8192.168.2.40xa838No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:15.926315069 CET8.8.8.8192.168.2.40xa838No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:15.926315069 CET8.8.8.8192.168.2.40xa838No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:15.926315069 CET8.8.8.8192.168.2.40xa838No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:16.001646996 CET8.8.8.8192.168.2.40xa261No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                                              Feb 25, 2021 11:01:16.001646996 CET8.8.8.8192.168.2.40xa261No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:16.001646996 CET8.8.8.8192.168.2.40xa261No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:16.001646996 CET8.8.8.8192.168.2.40xa261No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:16.001646996 CET8.8.8.8192.168.2.40xa261No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:16.001646996 CET8.8.8.8192.168.2.40xa261No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:26.573837996 CET8.8.8.8192.168.2.40x1f79No error (0)mail.sapgroup.com.pksapgroup.com.pkCNAME (Canonical name)IN (0x0001)
                                                                              Feb 25, 2021 11:01:26.573837996 CET8.8.8.8192.168.2.40x1f79No error (0)sapgroup.com.pk95.215.225.23A (IP address)IN (0x0001)
                                                                              Feb 25, 2021 11:01:27.075436115 CET8.8.8.8192.168.2.40xdc2fNo error (0)mail.sapgroup.com.pksapgroup.com.pkCNAME (Canonical name)IN (0x0001)
                                                                              Feb 25, 2021 11:01:27.075436115 CET8.8.8.8192.168.2.40xdc2fNo error (0)sapgroup.com.pk95.215.225.23A (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • checkip.dyndns.org

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.449733131.186.113.7080C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Feb 25, 2021 11:01:16.100343943 CET2649OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Feb 25, 2021 11:01:16.161358118 CET2649INHTTP/1.1 200 OK
                                                                              Content-Type: text/html
                                                                              Server: DynDNS-CheckIP/1.2.0
                                                                              Connection: close
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              Content-Length: 103
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>


                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Feb 25, 2021 11:01:28.086750984 CET5874973895.215.225.23192.168.2.4220-cp8.ukdns.biz ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 10:01:28 +0000
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Feb 25, 2021 11:01:28.087178946 CET49738587192.168.2.495.215.225.23EHLO 216041
                                                                              Feb 25, 2021 11:01:28.145792961 CET5874973895.215.225.23192.168.2.4250-cp8.ukdns.biz Hello 216041 [84.17.52.78]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-STARTTLS
                                                                              250 HELP
                                                                              Feb 25, 2021 11:01:28.146311045 CET49738587192.168.2.495.215.225.23STARTTLS
                                                                              Feb 25, 2021 11:01:28.209126949 CET5874973895.215.225.23192.168.2.4220 TLS go ahead

                                                                              Code Manipulations

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              Analysis Process: Recibo de entrega de DHL.exe PID: 7008 Parent PID: 5924

                                                                              General

                                                                              Start time:11:01:04
                                                                              Start date:25/02/2021
                                                                              Path:C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\Recibo de entrega de DHL.exe'
                                                                              Imagebase:0xa00000
                                                                              File size:375296 bytes
                                                                              MD5 hash:335A69EE25155D53F6DF46C020AA90CD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_404Keylogger, Description: Yara detected 404Keylogger, Source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: Recibo de entrega de DHL.exe PID: 6416 Parent PID: 7008

                                                                              General

                                                                              Start time:11:01:13
                                                                              Start date:25/02/2021
                                                                              Path:C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              Imagebase:0x310000
                                                                              File size:375296 bytes
                                                                              MD5 hash:335A69EE25155D53F6DF46C020AA90CD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: Recibo de entrega de DHL.exe PID: 2912 Parent PID: 7008

                                                                              General

                                                                              Start time:11:01:13
                                                                              Start date:25/02/2021
                                                                              Path:C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\Recibo de entrega de DHL.exe
                                                                              Imagebase:0x9f0000
                                                                              File size:375296 bytes
                                                                              MD5 hash:335A69EE25155D53F6DF46C020AA90CD
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_404Keylogger, Description: Yara detected 404Keylogger, Source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_404Keylogger, Description: Yara detected 404Keylogger, Source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >

                                                                                Analysis Process: Recibo de entrega de DHL.exe PID: 7008 Parent PID: 5924 Recibo de entrega de DHL.exeCOMMON

                                                                                Executed Functions

                                                                                Function 02CBBA60, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 405c62422d6e4dce21e56f532061241039e108d77b4c54b5aadf21b28ff96e3e
                                                                                • Instruction ID: 37bad3ed16878a8bd56bbbe934b6636b98e85fa0c9dce262798d47f2cfb4ad90
                                                                                • Opcode Fuzzy Hash: 405c62422d6e4dce21e56f532061241039e108d77b4c54b5aadf21b28ff96e3e
                                                                                • Instruction Fuzzy Hash: CC712670A00B059FDB25DF2AD45079ABBF1FF88218F00892DD48ADBA54DB75E905CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBAAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CBE02A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: 4652fc849da8a0f55e4d4fa1e174d33f60c680839af6178e2e49605fe1ae383d
                                                                                • Instruction ID: 100a20fe156e8635f7e5b968651f7129e576b788209f49f2ea13b6b8ff37161e
                                                                                • Opcode Fuzzy Hash: 4652fc849da8a0f55e4d4fa1e174d33f60c680839af6178e2e49605fe1ae383d
                                                                                • Instruction Fuzzy Hash: 5C51C0B1D00309EFDB15CF9AD884ADEBBB5FF88314F64812AE819AB210D7759945CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBDF0D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CBE02A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: 5032bdfea92aa1a1cee794a612a130d2afe97c965031a1e59fefed4b61966b8e
                                                                                • Instruction ID: 343d28148156f0c1581635365b865cd43dc2071baff3e8e968258863de9d927d
                                                                                • Opcode Fuzzy Hash: 5032bdfea92aa1a1cee794a612a130d2afe97c965031a1e59fefed4b61966b8e
                                                                                • Instruction Fuzzy Hash: D851D0B1D00319DFDB14CF9AD884ADEBBB5BF48314F24812AE819AB210D7749945CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CB7009, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CB7046,?,?,?,?,?), ref: 02CB7107
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: b0814d04fe3a4ea31f778eead37fa623a5694b33a0eea86175b505be5cee159a
                                                                                • Instruction ID: 22fc6a14db029f8c8d49821e7379fd155a0fea6c888b1f517bf886dd3b1996e9
                                                                                • Opcode Fuzzy Hash: b0814d04fe3a4ea31f778eead37fa623a5694b33a0eea86175b505be5cee159a
                                                                                • Instruction Fuzzy Hash: FE416876900258AFCF01CF99D884ADEBFF9EF89310F14801AE914A7360D775A914DFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CB63FC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CB7046,?,?,?,?,?), ref: 02CB7107
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: e2311eb1ade3596bc1be993679e1be24016ebe10dbe1baf6c3ead38a01b9d2dd
                                                                                • Instruction ID: e65a568c828a2322e6b5eb3d864ec7fccade827711934a986bef506a44af4b1f
                                                                                • Opcode Fuzzy Hash: e2311eb1ade3596bc1be993679e1be24016ebe10dbe1baf6c3ead38a01b9d2dd
                                                                                • Instruction Fuzzy Hash: 0F21D4B5900258AFDB10CF9AD884ADEBBF8EF48324F14841AE918A7310D374A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CB7078, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CB7046,?,?,?,?,?), ref: 02CB7107
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: a2a4e443b56e1640b9b93760d8d4f36eb1689585ece73a386f5ea5c12b2b6ef2
                                                                                • Instruction ID: c0209e986cb64f0441a92d801ff9db0a872a157ce36a7fba77a11a4c05e175b8
                                                                                • Opcode Fuzzy Hash: a2a4e443b56e1640b9b93760d8d4f36eb1689585ece73a386f5ea5c12b2b6ef2
                                                                                • Instruction Fuzzy Hash: 9421E3B5900258EFDB10CF9AD984ADEBBF8FF48324F14841AE918A7310D374A944DFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBA980, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CBBD21,00000800,00000000,00000000), ref: 02CBBF32
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: fd8232d9dc0936fcee52b39d0cc74ef29a1f099357fd3455a8ab92a1d916c0ca
                                                                                • Instruction ID: a38ff3d9c7def9bd0cba1d0d7462e50ae2256183ca3640ee1ca01c5a2335ef9a
                                                                                • Opcode Fuzzy Hash: fd8232d9dc0936fcee52b39d0cc74ef29a1f099357fd3455a8ab92a1d916c0ca
                                                                                • Instruction Fuzzy Hash: 192138B6C042489FCB11CF9AD844BDEBBF4EF99318F04846AD815A7710C375A945CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBA998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CBBD21,00000800,00000000,00000000), ref: 02CBBF32
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 2001cb36f93ff09ecfaf6997d90b234e38dcfa2adb11c0082a8165891b667cfe
                                                                                • Instruction ID: 9dafc2772a6a9a6156aabe55a711f5ed844e149476bd2b162cce05a01b80789d
                                                                                • Opcode Fuzzy Hash: 2001cb36f93ff09ecfaf6997d90b234e38dcfa2adb11c0082a8165891b667cfe
                                                                                • Instruction Fuzzy Hash: 1F1117B6D042489FCB10CF9AD444BDEFBF4EF88314F00842AE815A7600C375A945CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBBEC0, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CBBD21,00000800,00000000,00000000), ref: 02CBBF32
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 45868f900809d4c6178bf7d54f55b57ec0b214ae759b72e05495c8de966bf6e8
                                                                                • Instruction ID: 8ac517b5b1b6cf1892f6af985302027d278b27aef5655e526fc5abb7127a40c2
                                                                                • Opcode Fuzzy Hash: 45868f900809d4c6178bf7d54f55b57ec0b214ae759b72e05495c8de966bf6e8
                                                                                • Instruction Fuzzy Hash: 1E1114B6D042498FCB10CF99C544BDEFBF4EF88318F14842AD819A7600C375A945CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBA944, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02CBBA73), ref: 02CBBCA6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: f393ee73e79eb2fa3cdb75f027710e034e239f4122c51e5b81e43cf46ebb8c90
                                                                                • Instruction ID: 104eda73fa48c9ab96deee27a4063c9877a1a23e7d00f8db08e6b85de8829efb
                                                                                • Opcode Fuzzy Hash: f393ee73e79eb2fa3cdb75f027710e034e239f4122c51e5b81e43cf46ebb8c90
                                                                                • Instruction Fuzzy Hash: F81116B5D006498FDB10CF9AC444BDEFBF4EF88218F11846AD819B7600D774A946CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBDB34, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02CBE148,?,?,?,?), ref: 02CBE1BD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LongWindow
                                                                                • String ID:
                                                                                • API String ID: 1378638983-0
                                                                                • Opcode ID: 3df796e76f20cfac2e3f8b2d136eb3b7c32a50cf8fd4f30bb35a9c4796c16d79
                                                                                • Instruction ID: 1eee2241722354e0d92554cf1a338ad57f850471939bf4f8caec9a29cea072c3
                                                                                • Opcode Fuzzy Hash: 3df796e76f20cfac2e3f8b2d136eb3b7c32a50cf8fd4f30bb35a9c4796c16d79
                                                                                • Instruction Fuzzy Hash: B111F5B59042489FDB10DF99D984BDEBBF8EB48724F108459E915A7701C374A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBE159, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02CBE148,?,?,?,?), ref: 02CBE1BD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LongWindow
                                                                                • String ID:
                                                                                • API String ID: 1378638983-0
                                                                                • Opcode ID: ac6fa63cacd9ea63872329f7d0a2c660595196ea64002f001b92e9a00a4a8c17
                                                                                • Instruction ID: 24d4e0bc677085d8645dcbec77312b5d58cc4a0f3a4b40edcd90ff7e46990b41
                                                                                • Opcode Fuzzy Hash: ac6fa63cacd9ea63872329f7d0a2c660595196ea64002f001b92e9a00a4a8c17
                                                                                • Instruction Fuzzy Hash: 2B11FEB6900258DFDB10CF99D985BDEBBF8EF48324F24841AD918B7600C374A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 05897864, Relevance: .4, Instructions: 365COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5172fc2d827c85426fcd61ddaf2e14883a71a19b8db140bf7c27cea2a8eb5c7c
                                                                                • Instruction ID: b5e11ed63dc31d18af306719bed3d2bd846467078ce2f042f8b801e78ad08a40
                                                                                • Opcode Fuzzy Hash: 5172fc2d827c85426fcd61ddaf2e14883a71a19b8db140bf7c27cea2a8eb5c7c
                                                                                • Instruction Fuzzy Hash: 2FE16C347012089FCF18DB68D488AADBBF7BF85214F2985A5E849DB361DB31ED46CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589F2A0, Relevance: .1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ff0a6e3b2d3fd25c882c0ea33ff77ac9af9e2f2e4ade64c4f56243b47acaf0d8
                                                                                • Instruction ID: 33018679071ffe3d229d82425dd96370eacc38a482571acf43b8174c10c8dc87
                                                                                • Opcode Fuzzy Hash: ff0a6e3b2d3fd25c882c0ea33ff77ac9af9e2f2e4ade64c4f56243b47acaf0d8
                                                                                • Instruction Fuzzy Hash: 335106357042448FCB09DF78C8509AE7BB6FF89214B1845AAE955CB3B2CB34DD06CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589F378, Relevance: .1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7f9bb40ce44f4af3706cedc0515142e30183c4c3bd5b0b0b58c481978435eaed
                                                                                • Instruction ID: aa9cc8999287615bdc970195df38b3c3a533fc1b49a760c9c3157ca734000123
                                                                                • Opcode Fuzzy Hash: 7f9bb40ce44f4af3706cedc0515142e30183c4c3bd5b0b0b58c481978435eaed
                                                                                • Instruction Fuzzy Hash: 59316D717002148FCF09DF69C884DAE77BABF89214B1542AAEA15DB3B1DB74DC01CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589F368, Relevance: .1, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4d12f20d50752c0ce662cb394db7061a77561d3f85643c1880f9a393f3074bbb
                                                                                • Instruction ID: 0b374e79de058c7ea667fefc6b548bfcc5c09ec3a8bed3c252fa2d3cd2353702
                                                                                • Opcode Fuzzy Hash: 4d12f20d50752c0ce662cb394db7061a77561d3f85643c1880f9a393f3074bbb
                                                                                • Instruction Fuzzy Hash: 283160717042148FCF09DF68C894DAE7BBABF49214B0542AAF915DB2B1DB74DC01DB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589EDA0, Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ed7144d48ccb6e1dfab5173817fd692d63cdd4401f3ed7008605d823d5827ae9
                                                                                • Instruction ID: 423c0ed585dd72387b0ff760e8b09e2d16591d81774840a2008b4400024e8853
                                                                                • Opcode Fuzzy Hash: ed7144d48ccb6e1dfab5173817fd692d63cdd4401f3ed7008605d823d5827ae9
                                                                                • Instruction Fuzzy Hash: 46313C317042119FD71CDF39D898A29BBAAFF8925571845ADE856CB3A0CF32EC41CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589EC60, Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 979981c9072e3a2f3a9307644b2464b384af30d4fbf333b455b16bb6cd74ffcf
                                                                                • Instruction ID: 13398c8406099876a6f1cac4bd86836dcd972ba27da34e1bfec427bed1ada4a5
                                                                                • Opcode Fuzzy Hash: 979981c9072e3a2f3a9307644b2464b384af30d4fbf333b455b16bb6cd74ffcf
                                                                                • Instruction Fuzzy Hash: 8121A4343106108FCB29DB29D954FA977EABF85218F08C86AD846CB7A5CB74DD05C791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589ED8F, Relevance: .1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c0762c72a759f68e37193a4a4de510451aee3be74aea2cb38b2a0b670651005e
                                                                                • Instruction ID: b8e62910080ea7be10a14df721ec071793df050a5538089ad9fef0b2e339e010
                                                                                • Opcode Fuzzy Hash: c0762c72a759f68e37193a4a4de510451aee3be74aea2cb38b2a0b670651005e
                                                                                • Instruction Fuzzy Hash: 5911B4353042119FC7099F69D898A6ABB79FF85310B1442AEF806CB391CF31DD41CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589EC70, Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5a932b2e253dbde2d046be4da8dc20948af16566151e14c9575b2b172346201b
                                                                                • Instruction ID: 711cd2674daf40a040c486861ebe3e27edbb76228143c4b0e8b08980a209aa70
                                                                                • Opcode Fuzzy Hash: 5a932b2e253dbde2d046be4da8dc20948af16566151e14c9575b2b172346201b
                                                                                • Instruction Fuzzy Hash: 0C1142303106158FDB28DB29C454F66B7EAAF89214F18C879D84AC77A4DF75EC05CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589E450, Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: db71e48c32e9212922fe0f28260a4e4aa715fb50db1c8de6b36f84d21b414f5e
                                                                                • Instruction ID: 00d78dd353ceffc2bd7b43763030b8b91e04361b3e5f4cadecdcc75220a1b3c8
                                                                                • Opcode Fuzzy Hash: db71e48c32e9212922fe0f28260a4e4aa715fb50db1c8de6b36f84d21b414f5e
                                                                                • Instruction Fuzzy Hash: 340122313047448FCB19DA38A4895EA7FB7FFC8260718046AE88ACB310CE31EC0283D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589E460, Relevance: .0, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0e4eea3a550fbc79827a83713a0258ec8f8615d6c944fa8e0aca8698f7fb67bc
                                                                                • Instruction ID: 76c9075226bd10119aa39a5aa0bcf4c5c04a75f1c31b18a1d26ce73de3fc6095
                                                                                • Opcode Fuzzy Hash: 0e4eea3a550fbc79827a83713a0258ec8f8615d6c944fa8e0aca8698f7fb67bc
                                                                                • Instruction Fuzzy Hash: 22018F313006188BCB5CDA29A489AEA7BABFBC82607184469E94AC7314DE31EC0287D0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589ED30, Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c025d445d7d49e72601a231f020d46b0c6c7a0ecdef68bb1026ddeacd8e5413d
                                                                                • Instruction ID: 99ba0a6a8027662c643218c0213b5a3203f5269f0975af6ba9ea789db4491177
                                                                                • Opcode Fuzzy Hash: c025d445d7d49e72601a231f020d46b0c6c7a0ecdef68bb1026ddeacd8e5413d
                                                                                • Instruction Fuzzy Hash: B8F027302407658FCB159B74E5687E93BA2BF85B05F0484AFE449CB761CE345E04C790
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0589F480, Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f0e3295941fa85a570c42f5cb18c029f221bee15eb42c4e01061d7a361407a19
                                                                                • Instruction ID: ded5e5234a1266e8a82d21aa1182a611eb1c1d80be2b9146eb2ebb33077ea989
                                                                                • Opcode Fuzzy Hash: f0e3295941fa85a570c42f5cb18c029f221bee15eb42c4e01061d7a361407a19
                                                                                • Instruction Fuzzy Hash: 24E02B363041604FC7064E68A9944E9BFA9EFC913130541B7FA45D7373CA30CD058360
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 05892DB8, Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 18e1ae3dbc7549d997a889ec7915baef568be68549332081e67f2d47ca2e412f
                                                                                • Instruction ID: 80d002190d8450daa2defb5c39c65622ea3126e5a5731aa17abd2b264f443682
                                                                                • Opcode Fuzzy Hash: 18e1ae3dbc7549d997a889ec7915baef568be68549332081e67f2d47ca2e412f
                                                                                • Instruction Fuzzy Hash: 57F037303506198FCB189B39D458BB97796FF85604F044869E54ACB760CE75AC44C781
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 05897B90, Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c043e96abe315dc2cf67ae1b0edf8278743292803be78c6a67d6baeee7d4a2ca
                                                                                • Instruction ID: c14f0ecd6dfc5031164239d6d3fc07b27f4c853c480d135644605d0cba981408
                                                                                • Opcode Fuzzy Hash: c043e96abe315dc2cf67ae1b0edf8278743292803be78c6a67d6baeee7d4a2ca
                                                                                • Instruction Fuzzy Hash: 5EE0D8313001146B87085A5EA4888AABBDAEBC96303044076FA09C7321CE71DC008390
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 02CBC148, Relevance: .5, Instructions: 520COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 552456c77197b6038913b238ad9cdf28a04f44b10a4cf288ff63bf507a8cef69
                                                                                • Instruction ID: 791b005aeeabcd10f247d63d90412ac22efff2845528a774773c9934469c8967
                                                                                • Opcode Fuzzy Hash: 552456c77197b6038913b238ad9cdf28a04f44b10a4cf288ff63bf507a8cef69
                                                                                • Instruction Fuzzy Hash: DF5234B9620B168FD711CF24F88E2997FE1BF45318F904209E2A15B6D1DBB4658ACF84
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00A0ADD9, Relevance: .3, Instructions: 337COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00A0ADD9(signed int __eax, signed int __ebx, void* __ecx, signed int __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				signed char _t143;
				signed int* _t145;
				signed int* _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				intOrPtr* _t155;
				signed int _t156;
				intOrPtr* _t157;
				signed char _t159;
				signed char _t161;
				signed char _t162;
				signed char _t163;
				intOrPtr* _t164;
				void* _t165;
				signed int _t167;
				intOrPtr* _t168;
				intOrPtr* _t169;
				signed char _t172;
				signed int _t176;
				signed int _t177;
				void* _t179;
				intOrPtr* _t180;
				intOrPtr* _t182;
				signed char _t186;
				void* _t187;
				void* _t189;
				void* _t192;
				void* _t193;
				signed int _t197;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				signed int* _t202;
				signed int _t203;
				signed char _t205;
				void* _t206;
				signed char _t209;
				void* _t215;
				void* _t216;
				signed int _t219;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int* _t227;
				intOrPtr* _t228;
				signed int _t229;
				signed char _t230;
				signed int _t236;
				void* _t238;

				_push(ds);
				_push(es);
				 *((intOrPtr*)(_t229 + 0x2f)) =  *((intOrPtr*)(_t229 + 0x2f)) + __eax;
				asm("fild word [edx]");
				asm("sbb al, [eax]");
				 *(__ecx - 0x49ffe1fd) =  *(__ecx - 0x49ffe1fd) | _t229;
				_t143 = __eax ^ __ebx;
				_push(ds);
				_push(es);
				 *((intOrPtr*)(__edi + __ebx)) =  *((intOrPtr*)(__edi + __ebx)) + _t143;
				asm("fild word [edx]");
				_push(es);
				 *0x1e444c18 =  *0x1e444c18 + __ebx;
				 *((intOrPtr*)(__edx + __esi + 0x1e1ec7)) =  *((intOrPtr*)(__edx + __esi + 0x1e1ec7)) + __ecx;
				asm("cli");
				 *(_t143 + 3) =  *(_t143 + 3) ^ __edx;
				_t145 =  *0x1e1da227;
				_t145[0x780d40a] = _t145 + _t145[0x780d40a];
				 *((intOrPtr*)(__edi + 0x3f)) =  *((intOrPtr*)(__edi + 0x3f)) + __ecx;
				_push(_t145);
				_t145[0x180d403] = _t145 + _t145[0x180d403];
				 *((intOrPtr*)(__edi + 0x28)) =  *((intOrPtr*)(__edi + 0x28)) + __ecx;
				_push(ds);
				 *_t145 =  *_t145 - __edx;
				_t192 = __ecx + __ecx + __ecx + __ecx;
				asm("sbb [eax], dl");
				_t147 = _t145;
				 *((intOrPtr*)(__esi + 0x1a2c1028)) =  *((intOrPtr*)(__esi + 0x1a2c1028)) + _t192;
				_t193 = _t192 + __ebx +  *__esi;
				_push(cs);
				_t227 = __esi - _t193;
				asm("sbb al, [eax]");
				asm("lahf");
				asm("sbb al, [eax]");
				_t197 = (_t193 + 0x00000001 ^ __edx) + 1 -  *((intOrPtr*)((_t193 + 0x00000001 ^ __edx) + 1 - 0x1effe5fd));
				_t209 = __edx ^  *_t147;
				_t148 = _t147 - 6;
				 *((intOrPtr*)(_t197 + 0x1e)) =  *((intOrPtr*)(_t197 + 0x1e)) + 0xe;
				asm("sti");
				_t176 = 0x0000000e &  *_t209;
				 *((intOrPtr*)(_t148 + 0x11)) =  *((intOrPtr*)(_t148 + 0x11)) + _t197;
				_t219 = __edi - _t176;
				_t149 = _t148 &  *_t227;
				 *((intOrPtr*)(_t209 + 0x623fb2b)) =  *((intOrPtr*)(_t209 + 0x623fb2b)) + _t149;
				_t227[0xa] = _t227[0xa] + _t149;
				asm("sti");
				_t150 = _t149 &  *_t227;
				 *((intOrPtr*)(_t219 + 0x623fb + _t150 * 2)) =  *((intOrPtr*)(_t219 + 0x623fb + _t150 * 2)) + _t176;
				 *(_t176 + _t219 * 8) =  *(_t176 + _t219 * 8) ^ _t229;
				_t177 = _t176 + _t150;
				 *((intOrPtr*)(_t229 + 0x2b)) =  *((intOrPtr*)(_t229 + 0x2b)) + _t209;
				asm("sti");
				_t151 = _t150 &  *_t227;
				 *((intOrPtr*)(_t177 + _t229)) =  *((intOrPtr*)(_t177 + _t229)) + _t151;
				asm("sti");
				_t152 = _t151 &  *_t227;
				_t199 = (_t197 &  *_t227) + _t152;
				asm("adc bl, bh");
				 *_t152 =  *_t152 + _t152;
				 *((intOrPtr*)(_t199 + 0x21001a03)) =  *((intOrPtr*)(_t199 + 0x21001a03)) - _t229;
				gs = es;
				_t179 = (_t177 &  *_t209) +  *_t209;
				 *((intOrPtr*)(_t209 + 0x1a03a929)) =  *((intOrPtr*)(_t209 + 0x1a03a929)) + _t179;
				 *((intOrPtr*)(_t209 + 0x43)) =  *((intOrPtr*)(_t209 + 0x43)) + _t152;
				_t180 = _t179 + 1;
				asm("sbb eax, 0x1e23fb");
				asm("hlt");
				asm("sbb [eax+0x3], edx");
				asm("sbb al, [eax]");
				asm("sbb ch, [ebx]");
				_t228 = _t227 + _t227;
				_t155 = _t152 +  *_t227 + _t199 +  *((intOrPtr*)(_t152 +  *_t227 + _t199));
				 *_t155 =  *_t155 + _t155;
				 *((intOrPtr*)(_t228 + 2)) =  *((intOrPtr*)(_t228 + 2)) + _t180;
				 *_t199 =  *_t199 + _t155;
				 *_t199 =  *_t199 + _t155;
				 *_t155 =  *_t155 + _t155;
				 *_t155 =  *_t155 + _t155;
				 *((intOrPtr*)(_t199 + 0x26)) =  *((intOrPtr*)(_t199 + 0x26)) + 0xe;
				_push(_t180);
				_t200 = _t199 - 1;
				 *_t200 =  *_t200 + _t155;
				 *_t200 =  *_t200 + _t155;
				 *_t155 =  *_t155 + _t155;
				 *_t155 =  *_t155 + _t155;
				 *((intOrPtr*)(_t200 + 0x33)) =  *((intOrPtr*)(_t200 + 0x33)) + 0xe;
				_t201 = _t180;
				 *_t201 =  *_t201 + _t155;
				 *((intOrPtr*)(_t155 + _t155)) =  *((intOrPtr*)(_t155 + _t155)) + _t155;
				 *_t201 =  *_t201 + _t155;
				asm("adc [eax], al");
				asm("pushfd");
				asm("aas");
				_push(_t180);
				_t222 = _t219 + 3;
				 *[gs:ecx] =  *[gs:ecx] + _t155;
				 *0 =  *0 + _t155;
				 *[gs:esi] =  *[gs:esi] + _t155;
				 *_t180 =  *_t180 + _t201;
				 *_t155 =  *_t155 + _t155;
				 *_t155 =  *_t155 + _t209 + _t209 + _t180;
				_t156 = _t155 + _t180;
				 *[gs:esi] =  *[gs:esi] + _t156;
				 *0x10000 =  *0x10000 + _t201;
				 *[gs:edi] =  *[gs:edi] + _t156;
				 *_t222 =  *_t222 + _t201;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + 0x36;
				_t202 = _t201 + _t156;
				asm("popfd");
				 *_t202 = _t202 +  *_t202;
				 *_t180 =  *_t180 + 0x36;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *((intOrPtr*)(_t229 + 0x65475348)) =  *((intOrPtr*)(_t229 + 0x65475348)) + 0x36;
				 *((intOrPtr*)(_t156 + _t156)) =  *((intOrPtr*)(_t156 + _t156)) + _t202;
				asm("sbb [eax], al");
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				asm("adc ecx, [eax]");
				 *((intOrPtr*)(_t156 + _t156)) =  *((intOrPtr*)(_t156 + _t156)) + _t202;
				asm("sbb [eax], eax");
				 *_t156 =  *_t156 + _t156;
				asm("adc [eax], al");
				asm("stc");
				asm("adc [eax], al");
				 *[es:ecx] =  *[es:ecx] + _t156;
				 *_t156 =  *_t156 + _t156;
				 *((intOrPtr*)(_t229 + 0x6533390c)) =  *((intOrPtr*)(_t229 + 0x6533390c)) + 0xe;
				 *0x36 =  *0x36 + 0x36;
				 *_t156 =  *_t156 + _t202;
				 *_t202 =  *_t202 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *((intOrPtr*)(_t156 + 0x65333948)) =  *((intOrPtr*)(_t156 + 0x65333948)) + _t202;
				 *0x36 =  *0x36 + 0x36;
				 *0x36 =  *0x36 + _t202;
				 *_t202 =  *_t202 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *((intOrPtr*)(_t228 + 0x39 + _t156 * 2)) =  *((intOrPtr*)(_t228 + 0x39 + _t156 * 2)) + _t156;
				_t223 = _t222 ^  *_t202;
				asm("adc al, [eax]");
				_t157 = _t156 -  *_t156;
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				asm("aas");
				asm("aas");
				_t182 = _t180 +  *_t202 -  *_t157;
				 *[gs:eax] =  *[gs:eax] + _t182;
				 *0x36 =  *0x36 + 0xe;
				 *_t202 =  *_t202 + _t157;
				 *_t157 =  *_t157 + _t157;
				 *0x0000003F =  *((intOrPtr*)(0x3f)) + _t182;
				 *[gs:ebx] =  *[gs:ebx] + _t182;
				 *_t202 =  *_t202 + _t157;
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				_t159 = _t157 - 0x00000001 | 0x00000039;
				asm("sbb al, 0x0");
				 *_t159 =  *_t159 + _t159;
				 *_t159 =  *_t159 + _t159;
				asm("adc edi, [ecx]");
				_t161 = _t159 + _t159 ^  *0x4a001d01;
				 *_t202 =  *_t202 + _t161;
				 *_t161 =  *_t161 + _t161;
				_t203 = _t202 + _t161;
				_t236 = (__edi + 0x00000001 ^  *_t229 ^  *_t229) + 0x00000001 ^  *_t229;
				asm("sbb eax, 0x1004b00");
				 *_t161 =  *_t161 + _t161;
				 *((intOrPtr*)(_t203 + 0x24)) =  *((intOrPtr*)(_t203 + 0x24)) + _t203;
				if ( *_t182 - _t228 >= 0) goto L1;
				asm("sbb eax, 0x1004f00");
				 *_t161 =  *_t161 + _t161;
				 *_t161 =  *_t161 + _t161;
				_t162 = _t161 & 0x00000039;
				 *[es:eax] =  *[es:eax] + _t203;
				 *_t162 =  *_t162 + _t162;
				 *_t162 =  *_t162 + _t162;
				asm("int1");
				 *_t203 =  *_t203 + 0xe;
				_t225 = _t223 ^  *_t203 ^  *_t203;
				 *_t162 =  *_t162 ^ _t162;
				 *_t162 =  *_t162 + 1;
				 *_t162 =  *_t162 + _t162;
				 *((intOrPtr*)(_t225 + 7)) =  *((intOrPtr*)(_t225 + 7)) + _t203;
				 *_t228 =  *_t228 + _t203;
				asm("xlatb");
				 *_t203 =  *_t203 + _t162;
				 *_t162 =  *_t162 + _t162;
				_t238 = _t236 + 2;
				 *0x36 =  *0x36 + 0x36;
				 *_t162 =  *_t162 + _t162;
				 *_t162 =  *_t162 + _t162;
				_t163 = _t229;
				_t230 = _t162;
				 *_t228 =  *_t228 + 0x1d;
				asm("in eax, 0x0");
				 *_t163 =  *_t163 + _t163;
				 *_t163 =  *_t163 + _t163;
				 *[gs:esi] =  *[gs:esi] + 0x1d;
				 *[es:ecx] =  *[es:ecx] + _t163;
				 *_t163 =  *_t163 + _t163;
				_t101 = _t203 + 0x3a;
				 *_t101 =  *((intOrPtr*)(_t203 + 0x3a)) + _t203;
				if( *_t101 < 0) {
					 *[gs:edx] =  *[gs:edx] + 0x2e;
					asm("daa");
					 *_t203 =  *_t203 + _t163;
					 *_t163 =  *_t163 + _t163;
					 *((intOrPtr*)(_t230 + 0x653a7d3a)) =  *((intOrPtr*)(_t230 + 0x653a7d3a)) + 0x2e;
					 *0x1d =  *0x1d + 0x2e;
					 *_t203 =  *_t203 - _t163;
					 *_t163 =  *_t163 + _t238;
					 *_t163 =  *_t163 + _t163;
					 *0x6533392e = _t163;
					 *0x1d =  *0x1d + 0x2e;
					 *_t203 =  *_t203 - _t163;
					 *_t163 =  *_t163 + _t163;
					 *_t163 =  *_t163 + _t163;
					asm("loop 0x49");
					_t172 = _t230;
					_t230 = _t163;
					 *0x01012A1D =  *((intOrPtr*)(0x1012a1d)) + _t238;
					 *_t172 =  *_t172 & _t172;
					 *_t203 =  *_t203 + 0x2e;
					_t163 = _t172 + 1;
					_t203 = 1;
				}
				asm("aaa");
				 *_t203 =  *_t203 + _t163;
				 *_t163 =  *_t163 + _t163;
				 *0x2e =  *0x2e + 0x2e;
				_t205 = (_t203 ^ _t225) +  *0x01014A1D;
				 *_t163 =  *_t163 + _t163;
				_t186 = 0x4b ^ _t205;
				_t206 = _t205 +  *((intOrPtr*)(_t225 + 0x15f00));
				 *_t163 =  *_t163 + 0x1d;
				 *((intOrPtr*)(_t206 + 0x6533393d)) =  *((intOrPtr*)(_t206 + 0x6533393d)) + _t206;
				 *((intOrPtr*)(_t186 + 0x5017000)) =  *((intOrPtr*)(_t186 + 0x5017000)) + 0x1d;
				 *_t163 =  *_t163 + _t163;
				 *((intOrPtr*)(0x1d + _t225)) =  *((intOrPtr*)(0x1d + _t225)) + _t186;
				 *_t163 =  *_t163 + _t163;
				_t187 = _t186 + _t206;
				 *((intOrPtr*)(_t187 + 1)) =  *((intOrPtr*)(_t187 + 1)) + 0x1d;
				_t164 = _t163 + 0x3000001;
				 *[ss:eax] =  *[ss:eax] + _t164;
				 *((intOrPtr*)(_t164 + 0x10501)) =  *((intOrPtr*)(_t164 + 0x10501)) + _t164;
				 *_t230 =  *_t230 + _t206;
				 *_t164 =  *_t164 + _t164;
				_t189 = _t187 + _t206 + _t206;
				 *((intOrPtr*)(_t225 + 0x10301)) =  *((intOrPtr*)(_t225 + 0x10301)) + _t164;
				 *0x6500001D =  *((intOrPtr*)(0x6500001d)) + _t164;
				_t165 = _t164 + 0x1d;
				 *((intOrPtr*)(_t206 + 0x10201)) =  *((intOrPtr*)(_t206 + 0x10201)) + _t206;
				 *((intOrPtr*)(_t165 - 0xeffffcf)) =  *((intOrPtr*)(_t165 - 0xeffffcf)) + 0x1d;
				_t215 = 0x1d + _t189;
				 *((intOrPtr*)(_t206 + 0x200201)) =  *((intOrPtr*)(_t206 + 0x200201)) + _t215;
				_t167 = _t165 + _t215 |  *(_t165 + _t215);
				 *_t228 =  *_t228 + _t206;
				_t216 = _t215 + _t189;
				 *((intOrPtr*)(_t230 + 0x201)) =  *((intOrPtr*)(_t230 + 0x201)) + _t216;
				 *((intOrPtr*)(_t230 + 0x1610000 + _t167 * 2)) =  *((intOrPtr*)(_t230 + 0x1610000 + _t167 * 2)) + _t206;
				asm("loope 0x2");
				_t168 = _t167 +  *_t167;
				 *_t168 =  *_t168 + _t168;
				asm("stc");
				 *_t168 =  *_t168 + _t168;
				_t169 =  *0xc000e200;
				 *((intOrPtr*)(_t216 + 1)) =  *((intOrPtr*)(_t216 + 1)) + _t169;
				 *_t169 =  *_t169 + _t169;
				 *((intOrPtr*)(3)) =  *((intOrPtr*)(3)) + 1;
				asm("in al, 0x0");
				return _t169 + 1 -  *((intOrPtr*)(_t169 + 1));
			}























































                                                                                0x00a0add9
                                                                                0x00a0adda
                                                                                0x00a0addb
                                                                                0x00a0adde
                                                                                0x00a0ade0
                                                                                0x00a0ade9
                                                                                0x00a0adef
                                                                                0x00a0adf1
                                                                                0x00a0adf2
                                                                                0x00a0adf3
                                                                                0x00a0adf6
                                                                                0x00a0adf8
                                                                                0x00a0adf9
                                                                                0x00a0adff
                                                                                0x00a0ae06
                                                                                0x00a0ae07
                                                                                0x00a0ae0c
                                                                                0x00a0ae11
                                                                                0x00a0ae17
                                                                                0x00a0ae1a
                                                                                0x00a0ae1d
                                                                                0x00a0ae23
                                                                                0x00a0ae26
                                                                                0x00a0ae2b
                                                                                0x00a0ae2f
                                                                                0x00a0ae31
                                                                                0x00a0ae33
                                                                                0x00a0ae35
                                                                                0x00a0ae3b
                                                                                0x00a0ae3d
                                                                                0x00a0ae43
                                                                                0x00a0ae46
                                                                                0x00a0ae48
                                                                                0x00a0ae4c
                                                                                0x00a0ae55
                                                                                0x00a0ae5b
                                                                                0x00a0ae5d
                                                                                0x00a0ae5f
                                                                                0x00a0ae62
                                                                                0x00a0ae63
                                                                                0x00a0ae65
                                                                                0x00a0ae6d
                                                                                0x00a0ae6f
                                                                                0x00a0ae71
                                                                                0x00a0ae77
                                                                                0x00a0ae7a
                                                                                0x00a0ae7b
                                                                                0x00a0ae7d
                                                                                0x00a0ae84
                                                                                0x00a0ae89
                                                                                0x00a0ae8f
                                                                                0x00a0ae92
                                                                                0x00a0ae93
                                                                                0x00a0ae95
                                                                                0x00a0ae98
                                                                                0x00a0ae99
                                                                                0x00a0ae9b
                                                                                0x00a0ae9d
                                                                                0x00a0aea1
                                                                                0x00a0aea3
                                                                                0x00a0aea9
                                                                                0x00a0aeab
                                                                                0x00a0aead
                                                                                0x00a0aeb3
                                                                                0x00a0aebb
                                                                                0x00a0aec1
                                                                                0x00a0aec6
                                                                                0x00a0aec7
                                                                                0x00a0aeca
                                                                                0x00a0aecc
                                                                                0x00a0aed9
                                                                                0x00a0aedb
                                                                                0x00a0aedd
                                                                                0x00a0aedf
                                                                                0x00a0aee5
                                                                                0x00a0aee7
                                                                                0x00a0aee9
                                                                                0x00a0aeeb
                                                                                0x00a0aeed
                                                                                0x00a0aef0
                                                                                0x00a0aef2
                                                                                0x00a0aef3
                                                                                0x00a0aef5
                                                                                0x00a0aef7
                                                                                0x00a0aef9
                                                                                0x00a0aefb
                                                                                0x00a0af00
                                                                                0x00a0af01
                                                                                0x00a0af03
                                                                                0x00a0af06
                                                                                0x00a0af08
                                                                                0x00a0af0a
                                                                                0x00a0af0b
                                                                                0x00a0af0c
                                                                                0x00a0af0d
                                                                                0x00a0af0e
                                                                                0x00a0af11
                                                                                0x00a0af1c
                                                                                0x00a0af1f
                                                                                0x00a0af21
                                                                                0x00a0af23
                                                                                0x00a0af25
                                                                                0x00a0af2a
                                                                                0x00a0af2d
                                                                                0x00a0af38
                                                                                0x00a0af3b
                                                                                0x00a0af3d
                                                                                0x00a0af3f
                                                                                0x00a0af41
                                                                                0x00a0af46
                                                                                0x00a0af47
                                                                                0x00a0af49
                                                                                0x00a0af4b
                                                                                0x00a0af4d
                                                                                0x00a0af4f
                                                                                0x00a0af55
                                                                                0x00a0af58
                                                                                0x00a0af5a
                                                                                0x00a0af5c
                                                                                0x00a0af5e
                                                                                0x00a0af63
                                                                                0x00a0af66
                                                                                0x00a0af68
                                                                                0x00a0af6a
                                                                                0x00a0af6c
                                                                                0x00a0af72
                                                                                0x00a0af74
                                                                                0x00a0af77
                                                                                0x00a0af79
                                                                                0x00a0af7f
                                                                                0x00a0af81
                                                                                0x00a0af83
                                                                                0x00a0af85
                                                                                0x00a0af87
                                                                                0x00a0af8d
                                                                                0x00a0af8f
                                                                                0x00a0af91
                                                                                0x00a0af93
                                                                                0x00a0af95
                                                                                0x00a0af99
                                                                                0x00a0af9c
                                                                                0x00a0af9e
                                                                                0x00a0afa0
                                                                                0x00a0afa2
                                                                                0x00a0afa4
                                                                                0x00a0afa5
                                                                                0x00a0afa6
                                                                                0x00a0afa8
                                                                                0x00a0afab
                                                                                0x00a0afad
                                                                                0x00a0afaf
                                                                                0x00a0afb1
                                                                                0x00a0afb6
                                                                                0x00a0afb9
                                                                                0x00a0afbc
                                                                                0x00a0afbe
                                                                                0x00a0afc1
                                                                                0x00a0afc6
                                                                                0x00a0afc9
                                                                                0x00a0afcb
                                                                                0x00a0afcf
                                                                                0x00a0afd1
                                                                                0x00a0afd7
                                                                                0x00a0afd9
                                                                                0x00a0afdb
                                                                                0x00a0afdf
                                                                                0x00a0afe2
                                                                                0x00a0afe7
                                                                                0x00a0afe9
                                                                                0x00a0afee
                                                                                0x00a0aff0
                                                                                0x00a0aff5
                                                                                0x00a0aff7
                                                                                0x00a0aff9
                                                                                0x00a0affe
                                                                                0x00a0b002
                                                                                0x00a0b004
                                                                                0x00a0b006
                                                                                0x00a0b007
                                                                                0x00a0b009
                                                                                0x00a0b00c
                                                                                0x00a0b00e
                                                                                0x00a0b011
                                                                                0x00a0b013
                                                                                0x00a0b019
                                                                                0x00a0b01c
                                                                                0x00a0b01d
                                                                                0x00a0b01f
                                                                                0x00a0b026
                                                                                0x00a0b027
                                                                                0x00a0b02c
                                                                                0x00a0b02e
                                                                                0x00a0b034
                                                                                0x00a0b034
                                                                                0x00a0b035
                                                                                0x00a0b038
                                                                                0x00a0b03a
                                                                                0x00a0b03c
                                                                                0x00a0b042
                                                                                0x00a0b046
                                                                                0x00a0b049
                                                                                0x00a0b04b
                                                                                0x00a0b04b
                                                                                0x00a0b04e
                                                                                0x00a0b050
                                                                                0x00a0b054
                                                                                0x00a0b055
                                                                                0x00a0b057
                                                                                0x00a0b059
                                                                                0x00a0b05f
                                                                                0x00a0b062
                                                                                0x00a0b064
                                                                                0x00a0b066
                                                                                0x00a0b068
                                                                                0x00a0b06d
                                                                                0x00a0b070
                                                                                0x00a0b072
                                                                                0x00a0b074
                                                                                0x00a0b076
                                                                                0x00a0b07a
                                                                                0x00a0b07a
                                                                                0x00a0b07b
                                                                                0x00a0b081
                                                                                0x00a0b083
                                                                                0x00a0b085
                                                                                0x00a0b088
                                                                                0x00a0b088
                                                                                0x00a0b08c
                                                                                0x00a0b08d
                                                                                0x00a0b08f
                                                                                0x00a0b091
                                                                                0x00a0b097
                                                                                0x00a0b09d
                                                                                0x00a0b0a1
                                                                                0x00a0b0a5
                                                                                0x00a0b0ab
                                                                                0x00a0b0ad
                                                                                0x00a0b0b3
                                                                                0x00a0b0b9
                                                                                0x00a0b0bb
                                                                                0x00a0b0be
                                                                                0x00a0b0c0
                                                                                0x00a0b0c3
                                                                                0x00a0b0c6
                                                                                0x00a0b0cb
                                                                                0x00a0b0d1
                                                                                0x00a0b0d7
                                                                                0x00a0b0da
                                                                                0x00a0b0dc
                                                                                0x00a0b0df
                                                                                0x00a0b0e5
                                                                                0x00a0b0eb
                                                                                0x00a0b0ed
                                                                                0x00a0b0f3
                                                                                0x00a0b0f9
                                                                                0x00a0b0fb
                                                                                0x00a0b103
                                                                                0x00a0b105
                                                                                0x00a0b107
                                                                                0x00a0b109
                                                                                0x00a0b10f
                                                                                0x00a0b116
                                                                                0x00a0b11a
                                                                                0x00a0b11c
                                                                                0x00a0b11e
                                                                                0x00a0b120
                                                                                0x00a0b122
                                                                                0x00a0b127
                                                                                0x00a0b129
                                                                                0x00a0b12f
                                                                                0x00a0b132
                                                                                0x00a0b134

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.659070525.0000000000A02000.00000002.00020000.sdmp, Offset: 00A00000, based on PE: true
                                                                                • Associated: 00000000.00000002.659062879.0000000000A00000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000000.00000002.659157889.0000000000A5E000.00000002.00020000.sdmp Download File
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: af7c21762f966571641c8244d1cd3b795dc3a7dec4726ab8b409ce398b839b62
                                                                                • Instruction ID: fe318fe33b6091be64f0a91aa21b1e3a42c61ed7145ad7613b4ca70277eb8de1
                                                                                • Opcode Fuzzy Hash: af7c21762f966571641c8244d1cd3b795dc3a7dec4726ab8b409ce398b839b62
                                                                                • Instruction Fuzzy Hash: C6D1E27144E3D19FC7538B748CB92817FB0AE0721471E86DFD4C48F4A3E26A599ACB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 05895FB8, Relevance: .3, Instructions: 306COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.662767137.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c0875f3a30d8c9d33f888f3092585716b59ab071093199535d043fc35e1de27
                                                                                • Instruction ID: 8c177a31e48ecfa0542d93c0d6beedc3af02456eeee9b2cf1d1ad33a3b73fc45
                                                                                • Opcode Fuzzy Hash: 6c0875f3a30d8c9d33f888f3092585716b59ab071093199535d043fc35e1de27
                                                                                • Instruction Fuzzy Hash: 35A18031B081155FDB59A77488207AF72E7AFC8208F24882CD11ADB7D9DF399D0787A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02CBA758, Relevance: .3, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.660046470.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dd0f78c44567b3266220e49c7be2790f98d259a93d3ca5f324ff1e109ddb098f
                                                                                • Instruction ID: 90806323b39a5f5b3b56a2e69374cc92054fa19f2cfe0eda7cc86fce9bcdab1b
                                                                                • Opcode Fuzzy Hash: dd0f78c44567b3266220e49c7be2790f98d259a93d3ca5f324ff1e109ddb098f
                                                                                • Instruction Fuzzy Hash: EDA16F36E102198FCF16DFA5D8445DEBBB2FF89304F15816AE905BB221EB35A905CF80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: Recibo de entrega de DHL.exe PID: 2912 Parent PID: 7008 Recibo de entrega de DHL.exeCOMMON

                                                                                Executed Functions

                                                                                Function 02BAF8C1, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906346309.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 97c4f3d15efee85eac6963319331427a4609efc78ebec3c4bdfa75bec20832f9
                                                                                • Instruction ID: 85b9c95c573d0c669de3c6ba979ac212b2281c7aff4b70cc41677d06b3577ddd
                                                                                • Opcode Fuzzy Hash: 97c4f3d15efee85eac6963319331427a4609efc78ebec3c4bdfa75bec20832f9
                                                                                • Instruction Fuzzy Hash: 2A413772D083558FCB00CFA4C8102EEBBB1EF8A314F1585ABC514AB751EB789845CBD1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02BA0D30, Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserExceptionDispatcher.NTDLL ref: 02BA0E71
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906346309.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DispatcherExceptionUser
                                                                                • String ID:
                                                                                • API String ID: 6842923-0
                                                                                • Opcode ID: 32ef220c59e4462b8a179d1b8c4cad0ed9afc85eee831fbe3a5f738cf3972145
                                                                                • Instruction ID: 60f8a2c42f094220df4952f6a8fa66359e6549bd805ea0bbbd7895268ad71eca
                                                                                • Opcode Fuzzy Hash: 32ef220c59e4462b8a179d1b8c4cad0ed9afc85eee831fbe3a5f738cf3972145
                                                                                • Instruction Fuzzy Hash: F651BF31601205EFD734AF34F81D6AD7BB2FF84312F10A868E406DA6A8DB749C55CB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02BA6E84, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 02BA8EAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906346309.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 63049ca08ae96f64fe6618b72b22b92639a9ceef3bbdba90b36a7207fbfb2984
                                                                                • Instruction ID: 0c9d130f39d26b27130af9591a518a09a287cf24a2d2928a28169a34e7c21e12
                                                                                • Opcode Fuzzy Hash: 63049ca08ae96f64fe6618b72b22b92639a9ceef3bbdba90b36a7207fbfb2984
                                                                                • Instruction Fuzzy Hash: 054167B0E04218DFDB10CFA9C89479EBBF1EB48314F148569E815EB784E7B89841CF81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02BA8DBF, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 02BA8EAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906346309.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 1043e1aefff725dcc92a3bd336098f5b9ddf9a187445ec4f486f49ebf6673dbc
                                                                                • Instruction ID: 440e42437f8a49e4de24aaee8cd89f6532b1accb7dd127344171deed37a526b7
                                                                                • Opcode Fuzzy Hash: 1043e1aefff725dcc92a3bd336098f5b9ddf9a187445ec4f486f49ebf6673dbc
                                                                                • Instruction Fuzzy Hash: 604164B1E04218DFDB10CFA8C99479EBBF1EB08314F14856AE815EB784E7B89841CF81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02BAF9A8, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GlobalMemoryStatusEx.KERNELBASE ref: 02BAFA0F
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906346309.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: GlobalMemoryStatus
                                                                                • String ID:
                                                                                • API String ID: 1890195054-0
                                                                                • Opcode ID: 40b42d6f24fa148ef8af7daeeb2707b9f569ffdc6ef79f0accf4e991330694aa
                                                                                • Instruction ID: 58afe77438dc277ac2219d0f22770bc29a359e3d767c3312e2fe59b69a4ba06d
                                                                                • Opcode Fuzzy Hash: 40b42d6f24fa148ef8af7daeeb2707b9f569ffdc6ef79f0accf4e991330694aa
                                                                                • Instruction Fuzzy Hash: C11112B1C046199FCB10CF9AC9447EEFBF4EB48224F05816AD828B7640D778A944CFE1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02BA0F38, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • KiUserExceptionDispatcher.NTDLL ref: 02BA0E71
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906346309.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DispatcherExceptionUser
                                                                                • String ID:
                                                                                • API String ID: 6842923-0
                                                                                • Opcode ID: 650a58b2c3cf7ce18c5de02377954c57c429b471dc29167f1141cbd8611c7994
                                                                                • Instruction ID: f40b372b348d5b8824a291500ff1b372f91a88b5a38af69ee8e66fd70bbc626e
                                                                                • Opcode Fuzzy Hash: 650a58b2c3cf7ce18c5de02377954c57c429b471dc29167f1141cbd8611c7994
                                                                                • Instruction Fuzzy Hash: DB118631612146EFC7346F64FA0D1ACBB66FF44227BA0E521F006D9478DB6809A6CF60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0121D50C, Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906022779.000000000121D000.00000040.00000001.sdmp, Offset: 0121D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5c66b1345a935625105fbb0e0aa7915b4c8c958b3cfc3ad33f6e48fe3b2c69ee
                                                                                • Instruction ID: 92f626d5243f421868a29b4691b261517413ff30107c2326c006cb3c98f9e156
                                                                                • Opcode Fuzzy Hash: 5c66b1345a935625105fbb0e0aa7915b4c8c958b3cfc3ad33f6e48fe3b2c69ee
                                                                                • Instruction Fuzzy Hash: 15216AB1514248FFCB05CF54E8C4B27BFA5FBA8328F248569D9050B20AC336D846C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0122D108, Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906048569.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cfc3b9359ecf105cf1e789b1c72bf4c4aa190515289824bf9a5ffaa4f340b1aa
                                                                                • Instruction ID: 7819c05240f8e04470fe202396c54b353ef028b86be2070d58cccb4f3dcf3767
                                                                                • Opcode Fuzzy Hash: cfc3b9359ecf105cf1e789b1c72bf4c4aa190515289824bf9a5ffaa4f340b1aa
                                                                                • Instruction Fuzzy Hash: 7F2164B0614248FFDB05CF94D8C0B2ABB61FB88314F30C5ADE9094B746C3BAD846CA61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0121D507, Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906022779.000000000121D000.00000040.00000001.sdmp, Offset: 0121D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                                • Instruction ID: c62fbded9ca3b1dfc4ac2fd4f718c9f5369e8bd789540d7eb16c3f14e3509e0a
                                                                                • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                                • Instruction Fuzzy Hash: 0411B176404284DFCB12CF54D5C4B16BFB2FB94324F2886A9D9054B65AC33AD456CBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0122D103, Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.906048569.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                                                                • Instruction ID: da9b5dc3e414b0832c1b49ab994297e12f910ca89ea5e023e3ab2b7302a21141
                                                                                • Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                                                                • Instruction Fuzzy Hash: 2311D075504284DFDB06CF54D9C4B19BF71FB84314F28C6AADD094B656C33AD44ACB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions