Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe

Overview

General Information

Sample Name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Analysis ID:383976
MD5:edae8c184a250cccba45c023e805e12d
SHA1:6042a0f078faad9525f052a561120d1e2551160f
SHA256:0a572e4a9f5d166e563f1c63aa7aa029c2c206d23767bd6ab033a95d7d7027cb
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Startup

  • System is w10x64
  • DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe (PID: 5716 cmdline: 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
    • cmd.exe (PID: 3412 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 5432 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • Files.exe (PID: 6280 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
  • Files.exe (PID: 5980 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
  • Files.exe (PID: 6332 cmdline: 'C:\Users\user\AppData\Roaming\Files.exe' MD5: EDAE8C184A250CCCBA45C023E805E12D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sammorris@askoblue.comP)RTDOg8mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 5 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sammorris@askoblue.comP)RTDOg8mail.privateemail.com"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\Files.exeReversingLabs: Detection: 37%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeVirustotal: Detection: 28%Perma Link
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeReversingLabs: Detection: 37%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\Files.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeJoe Sandbox ML: detected
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303110487.00000000067F6000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325634684.0000000002A13000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://dual-a-0001.a-msedge.net
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.232439693.00000000070D3000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305089826.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303110487.00000000067F6000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: Files.exe, 00000015.00000002.322781369.0000000000A9C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.m
                    Source: Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297284689.0000000002D6E000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325378597.00000000029FC000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329505639.0000000003135000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329441226.0000000003118000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com
                    Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325792650.0000000002AD1000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: Files.exe.0.dr, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.9a0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 0.0.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.9a0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 13.2.Files.exe.120000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 13.0.Files.exe.120000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 21.0.Files.exe.3c0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 21.2.Files.exe.3c0000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 22.2.Files.exe.c30000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Source: 22.0.Files.exe.c30000.0.unpack, Bs5w/z4R1.csLarge array initialization: .cctor: array initializer size 2488
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_0133D7F0
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_0133E4D8
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C66423
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C66428
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65246
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65248
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00A4D7F0
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00A4BD18
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 21_2_00BED458
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 21_2_00BED7F0
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 21_2_00BEE4D8
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 22_2_0161D7F0
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 22_2_0161BD18
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegJXtAEencRYFIZTxBNckJHYqrAmfI.exe4 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305503971.0000000007750000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.295875557.0000000000A6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBDHL.exeD vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299399775.0000000003D47000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304498768.0000000006C90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304498768.0000000006C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303468804.00000000068F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeBinary or memory string: OriginalFilenameBDHL.exeD vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: classification engineClassification label: mal92.troj.evad.winEXE@10/5@0/1
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\Files.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4060:120:WilError_01
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Files.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Files.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeVirustotal: Detection: 28%
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeReversingLabs: Detection: 37%
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile read: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6890 push ds; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6FDE push eax; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A70D5 push ecx; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A7EFC push cs; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A90FC push ds; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6D33 push ebx; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6F2F push ebp; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A7023 push edx; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6E51 push esi; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6F57 push ebp; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_009A6E65 push esp; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65E58 push esp; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65E00 push esp; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65FF1 push edi; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65FF9 push esi; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65C88 push edx; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65DA9 push ebx; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65D7B push ebx; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65D78 push ebx; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65D1B push edx; ret
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeCode function: 0_2_06C65AD9 push ecx; ret
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126D33 push ebx; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00127023 push edx; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126F2F push ebp; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126E51 push esi; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126F57 push ebp; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126E65 push esp; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126890 push ds; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_001270D5 push ecx; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00126FDE push eax; retf
                    Source: C:\Users\user\AppData\Roaming\Files.exeCode function: 13_2_00127EFC push cs; retf
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Roaming\Files.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FilesJump to behavior
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FilesJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe\:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeWindow / User API: threadDelayed 3079
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeWindow / User API: threadDelayed 6522
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4580Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 5752Thread sleep count: 3079 > 30
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 5752Thread sleep count: 6522 > 30
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 1832Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4144Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6176Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6340Thread sleep count: 63 > 30
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6340Thread sleep count: 149 > 30
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 4720Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5528Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6488Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6524Thread sleep count: 77 > 30
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6524Thread sleep count: 117 > 30
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6372Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6328Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6512Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6632Thread sleep count: 91 > 30
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6632Thread sleep count: 107 > 30
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6364Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6452Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Files.exeThread delayed: delay time: 922337203685477
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: Files.exe, 00000016.00000002.328296751.0000000001364000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303280982.0000000006862000.00000004.00000001.sdmpBinary or memory string: VMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
                    Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Files.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeProcess created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Files.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716, type: MEMORY
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.unpack, type: UNPACKEDPE

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716, type: MEMORY
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Modify Registry1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe29%VirustotalBrowse
                    DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe38%ReversingLabsWin32.Trojan.Wacatac
                    DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Files.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\Files.exe38%ReversingLabsWin32.Trojan.Wacatac

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ns.adobe.c/g%%0%Avira URL Cloudsafe
                    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                    https://pki.goog/repository/00%URL Reputationsafe
                    https://pki.goog/repository/00%URL Reputationsafe
                    https://pki.goog/repository/00%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                    http://ocsp.m0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://ns.adobe.c/g%%DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305089826.00000000070D2000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pki.goog/gsr2/GTS1O1.crt0Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://ns.adobe.c/gDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.232439693.00000000070D3000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crl.pki.goog/gsr2/gsr2.crl0?Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://pki.goog/repository/0Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmpfalse
                      		high
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://schema.org/WebPageDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297284689.0000000002D6E000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325378597.00000000029FC000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329505639.0000000003135000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.pki.goog/GTS1O1core.crl0Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.mFiles.exe, 00000015.00000002.322781369.0000000000A9C000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:31.0.0 Emerald
                        Analysis ID:383976
                        Start date:08.04.2021
                        Start time:13:30:42
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 13s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:35
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal92.troj.evad.winEXE@10/5@0/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 0.7% (good quality ratio 0.2%)
                        • Quality average: 20.1%
                        • Quality standard deviation: 29.5%
                        HCA Information:
                        • Successful, ratio: 81%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                        • Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.88.21.125, 172.217.168.4, 204.79.197.200, 13.107.21.200, 168.61.161.212, 104.83.127.80, 104.83.87.75, 13.107.42.23, 13.107.5.88, 40.126.31.138, 20.190.159.135, 40.126.31.5, 40.126.31.142, 20.190.159.137, 40.126.31.3, 20.190.159.131, 20.190.159.133, 93.184.220.29, 95.100.54.203, 2.22.152.11, 20.82.210.154, 205.185.216.10, 205.185.216.42, 23.54.113.53, 20.82.209.183, 23.10.249.26, 23.10.249.43
                        • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, cdn.onenote.net.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www.google.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, dual-a-0001.a-msedge.net, skypedataprdcolcus17.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, e15275.g.akamaiedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, login.msa.msidentity.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, dub1.current.a.prd.aadg.trafficmanager.net, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:31:53API Interceptor46x Sleep call for process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe modified
                        13:31:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Files C:\Users\user\AppData\Roaming\Files.exe
                        13:32:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Files C:\Users\user\AppData\Roaming\Files.exe
                        13:32:18API Interceptor3x Sleep call for process: Files.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\AppData\Local\Temp\InstallUtil.exeDHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                          DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                            DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exeGet hashmaliciousBrowse
                              DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exeGet hashmaliciousBrowse
                                Sample Qoutation List.exeGet hashmaliciousBrowse
                                  DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exeGet hashmaliciousBrowse
                                    APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exeGet hashmaliciousBrowse
                                      Thalesnano.exeGet hashmaliciousBrowse
                                        DHL_SHIPMENT_ADDRESS_CONFIRMATION_00000001.exeGet hashmaliciousBrowse
                                          RFQ#040820.exeGet hashmaliciousBrowse
                                            payment swift copy.exeGet hashmaliciousBrowse
                                              I201002X430 CIF #20210604.exeGet hashmaliciousBrowse
                                                PO#29710634.exeGet hashmaliciousBrowse
                                                  PO_6620200947535257662_Arabico.PDF.exeGet hashmaliciousBrowse
                                                    payment notification.exeGet hashmaliciousBrowse
                                                      Payment Notification.exeGet hashmaliciousBrowse
                                                        s.exeGet hashmaliciousBrowse
                                                          MV.exeGet hashmaliciousBrowse
                                                            e.exeGet hashmaliciousBrowse
                                                              SL_PO8192.PDF.exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.log
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):1402
                                                                Entropy (8bit):5.338819835253785
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4Ko84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csX3:MIHK5HKXE1qHbHKoviYHKhQnoPtHoxHH
                                                                MD5:EB9F730FB5388BB883772033EA3CCE59
                                                                SHA1:7DFF24FBD26D0ED7065882AE0A9A52E459D7F2A9
                                                                SHA-256:B7192E58E5E91CF2CA113CA1C9575AADEAD3C417076AB83D8EF0720D5E473887
                                                                SHA-512:1FB4FF9E7E85C4F4B2395B948A4B69180E602259FFC582A067B96420C60BA4B49D091F3D525333E07930AA21A8254AF1C9F90B29CCD31AA97C368CB1CB7EF322
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Files.exe.log
                                                                Process:C:\Users\user\AppData\Roaming\Files.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1402
                                                                Entropy (8bit):5.338819835253785
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4Ko84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csX3:MIHK5HKXE1qHbHKoviYHKhQnoPtHoxHH
                                                                MD5:EB9F730FB5388BB883772033EA3CCE59
                                                                SHA1:7DFF24FBD26D0ED7065882AE0A9A52E459D7F2A9
                                                                SHA-256:B7192E58E5E91CF2CA113CA1C9575AADEAD3C417076AB83D8EF0720D5E473887
                                                                SHA-512:1FB4FF9E7E85C4F4B2395B948A4B69180E602259FFC582A067B96420C60BA4B49D091F3D525333E07930AA21A8254AF1C9F90B29CCD31AA97C368CB1CB7EF322
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu
                                                                C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):41064
                                                                Entropy (8bit):6.164873449128079
                                                                Encrypted:false
                                                                SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Detection: malicious, Browse
                                                                • Filename: Sample Qoutation List.exe, Detection: malicious, Browse
                                                                • Filename: DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exe, Detection: malicious, Browse
                                                                • Filename: APRILQUOTATION#QQO2103060_SAMPLES_KHANG HY_CO_CORPORATION.exe, Detection: malicious, Browse
                                                                • Filename: Thalesnano.exe, Detection: malicious, Browse
                                                                • Filename: DHL_SHIPMENT_ADDRESS_CONFIRMATION_00000001.exe, Detection: malicious, Browse
                                                                • Filename: RFQ#040820.exe, Detection: malicious, Browse
                                                                • Filename: payment swift copy.exe, Detection: malicious, Browse
                                                                • Filename: I201002X430 CIF #20210604.exe, Detection: malicious, Browse
                                                                • Filename: PO#29710634.exe, Detection: malicious, Browse
                                                                • Filename: PO_6620200947535257662_Arabico.PDF.exe, Detection: malicious, Browse
                                                                • Filename: payment notification.exe, Detection: malicious, Browse
                                                                • Filename: Payment Notification.exe, Detection: malicious, Browse
                                                                • Filename: s.exe, Detection: malicious, Browse
                                                                • Filename: MV.exe, Detection: malicious, Browse
                                                                • Filename: e.exe, Detection: malicious, Browse
                                                                • Filename: SL_PO8192.PDF.exe, Detection: malicious, Browse
                                                                Reputation:moderate, very likely benign file
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                C:\Users\user\AppData\Roaming\Files.exe
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):888320
                                                                Entropy (8bit):6.555631827817538
                                                                Encrypted:false
                                                                SSDEEP:12288:Xd+vpIV1Fn6OAVo1TXiJM8R0aJEu0AxTd9lB3pa77FMHK25PPlXU:UC65o1OMCPabAd7pk7F+K25ZU
                                                                MD5:EDAE8C184A250CCCBA45C023E805E12D
                                                                SHA1:6042A0F078FAAD9525F052A561120D1E2551160F
                                                                SHA-256:0A572E4A9F5D166E563F1C63AA7AA029C2C206D23767BD6AB033A95D7D7027CB
                                                                SHA-512:A2880BEF10470D56E87452FD1C6FEB27C4D1DDE1FCAE5F00901254EA99D1A743190AA3E802B1A492F107A54445FE5FC0C98C4B1C2A3123CCF2DCFEAE1FF6ED68
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                Reputation:low
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..S................................. ........@.. ....................................`.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...k......*....M..B............................................X..e)..c........[..........Z....E..w......q...<............9...f..,$......)+..j.......;....t..rC..<o..\[..V...B...8...4.......[...........Q.......#.......D...........hp...:..............W...@...R........_..8_..o...1....;..*...R...I...q...=x..}...._..K...B...J.......l..................XV...]...#.....e...K....W...>..<........@..........v8..p.......U...t..%.........._....=...?...........!..............
                                                                C:\Users\user\AppData\Roaming\Files.exe:Zone.Identifier
                                                                Process:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.555631827817538
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                File size:888320
                                                                MD5:edae8c184a250cccba45c023e805e12d
                                                                SHA1:6042a0f078faad9525f052a561120d1e2551160f
                                                                SHA256:0a572e4a9f5d166e563f1c63aa7aa029c2c206d23767bd6ab033a95d7d7027cb
                                                                SHA512:a2880bef10470d56e87452fd1c6feb27c4d1dde1fcae5f00901254ea99d1a743190aa3e802b1a492f107a54445fe5fc0c98c4b1c2a3123ccf2dcfeae1ff6ed68
                                                                SSDEEP:12288:Xd+vpIV1Fn6OAVo1TXiJM8R0aJEu0AxTd9lB3pa77FMHK25PPlXU:UC65o1OMCPabAd7pk7F+K25ZU
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..S................................. ........@.. ....................................`................................

                                                                File Icon

                                                                Icon Hash:eaee8e96b2a8e0b2

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4ccece
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                Time Stamp:0x531A1D35 [Fri Mar 7 19:25:41 2014 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xcce780x53.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000xd8ca.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000xcaed40xcb000False0.619055235914data6.57686671715IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xce0000xd8ca0xda00False0.0914922591743data3.77202593589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xdc0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0xce1300xd228data
                                                                RT_GROUP_ICON0xdb3580x14data
                                                                RT_VERSION0xdb36c0x374data
                                                                RT_MANIFEST0xdb6e00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyrightCopyright 2004 :=C=G=2A<F?<AHJI:52
                                                                Assembly Version1.0.0.0
                                                                InternalNameBDHL.exe
                                                                FileVersion5.7.10.12
                                                                CompanyName:=C=G=2A<F?<AHJI:52
                                                                Comments65>=BBIJ@55F:>8G
                                                                ProductNameB422A<96:DJ>@;I;
                                                                ProductVersion5.7.10.12
                                                                FileDescriptionB422A<96:DJ>@;I;
                                                                OriginalFilenameBDHL.exe

                                                                Network Behavior

                                                                Network Port Distribution

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 8, 2021 13:31:24.494191885 CEST5696153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:24.507533073 CEST53569618.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:25.217374086 CEST5935353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:25.230161905 CEST53593538.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:26.666817904 CEST5223853192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:26.678715944 CEST53522388.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:27.399626970 CEST4987353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:27.412344933 CEST53498738.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:28.605986118 CEST5319653192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:28.618580103 CEST53531968.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:29.491197109 CEST5677753192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:29.503729105 CEST53567778.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:30.359407902 CEST5864353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:30.372710943 CEST53586438.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:31.243885040 CEST6098553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:31.256592989 CEST53609858.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:32.217641115 CEST5020053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:32.230163097 CEST53502008.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:32.985733032 CEST5128153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:33.002245903 CEST53512818.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:34.239829063 CEST4919953192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:34.253031969 CEST53491998.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:34.505069017 CEST5062053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:34.517946959 CEST53506208.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:34.535218000 CEST6493853192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:34.568444014 CEST53649388.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:37.783739090 CEST6015253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:37.796343088 CEST53601528.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:38.595550060 CEST5754453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:38.609460115 CEST53575448.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:39.379354000 CEST5598453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:39.392750978 CEST53559848.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:40.140357018 CEST6418553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:40.153753042 CEST53641858.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:40.774282932 CEST6511053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:40.786783934 CEST53651108.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:41.515301943 CEST5836153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:41.528565884 CEST53583618.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:42.290077925 CEST6349253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:42.303049088 CEST53634928.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:48.665591002 CEST6083153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:48.666646004 CEST6010053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:48.683274984 CEST53608318.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:48.684961081 CEST53601008.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:51.926831961 CEST5872253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:51.939348936 CEST53587228.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:52.008577108 CEST5659653192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:52.008682966 CEST6410153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:52.020414114 CEST53565968.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:52.021186113 CEST53641018.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:58.441668987 CEST5319553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:58.455288887 CEST53531958.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:31:58.596616983 CEST5014153192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:31:58.609157085 CEST53501418.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:00.560795069 CEST5302353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:00.580951929 CEST53530238.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:02.775338888 CEST4956353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:02.787714958 CEST53495638.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:03.951311111 CEST5135253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:03.988884926 CEST53513528.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:04.086729050 CEST5934953192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:04.099466085 CEST53593498.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:11.381330013 CEST5708453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:11.394567966 CEST53570848.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:11.756453037 CEST5882353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:11.769443989 CEST53588238.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:11.786787033 CEST5756853192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:11.799402952 CEST53575688.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:16.429428101 CEST5054053192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:16.442076921 CEST53505408.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:16.835311890 CEST5436653192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:16.847729921 CEST53543668.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:16.864099026 CEST5303453192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:16.876862049 CEST53530348.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:18.615900993 CEST5776253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:18.628416061 CEST53577628.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:19.072899103 CEST5543553192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:19.099473000 CEST53554358.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:19.116641045 CEST5071353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:19.129224062 CEST53507138.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:20.696052074 CEST5613253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:20.708268881 CEST53561328.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:33.232908010 CEST5898753192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:33.250751019 CEST53589878.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:32:41.438473940 CEST5657953192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:32:41.450948954 CEST53565798.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:33:27.003259897 CEST6063353192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:33:27.017275095 CEST53606338.8.8.8192.168.2.3
                                                                Apr 8, 2021 13:33:34.521936893 CEST6129253192.168.2.38.8.8.8
                                                                Apr 8, 2021 13:33:34.540304899 CEST53612928.8.8.8192.168.2.3

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Apr 8, 2021 13:31:58.455288887 CEST8.8.8.8192.168.2.30x5fccNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716 Parent PID: 5704

                                                                General

                                                                Start time:13:31:32
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
                                                                Imagebase:0x9a0000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: cmd.exe PID: 3412 Parent PID: 5716

                                                                General

                                                                Start time:13:31:52
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0xbd0000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 4060 Parent PID: 3412

                                                                General

                                                                Start time:13:31:52
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6b2800000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: reg.exe PID: 5432 Parent PID: 3412

                                                                General

                                                                Start time:13:31:53
                                                                Start date:08/04/2021
                                                                Path:C:\Windows\SysWOW64\reg.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0x1b0000
                                                                File size:59392 bytes
                                                                MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: Files.exe PID: 5980 Parent PID: 3388

                                                                General

                                                                Start time:13:32:07
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0x120000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 38%, ReversingLabs
                                                                Reputation:low

                                                                Analysis Process: Files.exe PID: 6280 Parent PID: 5716

                                                                General

                                                                Start time:13:32:13
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0x3c0000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                Analysis Process: Files.exe PID: 6332 Parent PID: 3388

                                                                General

                                                                Start time:13:32:15
                                                                Start date:08/04/2021
                                                                Path:C:\Users\user\AppData\Roaming\Files.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\Files.exe'
                                                                Imagebase:0xc30000
                                                                File size:888320 bytes
                                                                MD5 hash:EDAE8C184A250CCCBA45C023E805E12D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >