Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL Delivery Invoice AWB 2774038374.exe

Overview

General Information

Sample Name:DHL Delivery Invoice AWB 2774038374.exe
Analysis ID:553160
MD5:d746678abd983ee65b7968607de1e18c
SHA1:ac41264273c252b60b7c1fb893324b4f3005c7e6
SHA256:9d69632f6791492fadab28bea034f7f18d29bc67fd6e7db08bdba847487da47f
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DHL Delivery Invoice AWB 2774038374.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" MD5: D746678ABD983EE65B7968607DE1E18C)
    • powershell.exe (PID: 6412 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5524 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1364 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000000.723173768.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    8.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1364
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp, ProcessId: 5524
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, ProcessId: 6412
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1364
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, ProcessId: 6412
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866324229420803.6412.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.0.RegSvcs.exe.400000.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DHL Delivery Invoice AWB 2774038374.exeVirustotal: Detection: 32%Perma Link
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\IpkVblcOW.exeAvira: detection malicious, Label: HEUR/AGEN.1140941
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\IpkVblcOW.exeReversingLabs: Detection: 53%
                      Machine Learning detection for sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\IpkVblcOW.exeJoe Sandbox ML: detected
                      Source: 8.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.4:49841 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.4:49841 -> 77.88.21.158:587
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://aZnPlk.com
                      Source: RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.c
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.701547719.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.701570124.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams.
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsioZ
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtigJ?b
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730604458.0000000007DB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFk):
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730604458.0000000007DB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commta
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtulk7(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Curs
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0.
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703153587.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963597761.00000000030A1000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963660199.00000000030D4000.00000004.00000001.sdmpString found in binary or memory: https://AhCxzE4BnkjtzVVxo.com
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.722291160.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.725851648.0000000000C8B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B21F0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B1018
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B30C8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B04E0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B1780
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B5908
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B21E0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4018
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B1017
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4017
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B3095
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B30C7
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010BF318
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B52C8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B52D8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B546A
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B5478
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B04DF
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B177F
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B56E1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B56F0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B58F9
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010BEC70
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4E98
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4E97
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_04EB560C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_04EB80C8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_04EB80D8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_09860040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B846A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B83D50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B84630
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B84610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B8D2E0
                      Source: DHL Delivery Invoice AWB 2774038374.exeBinary or memory string: OriginalFilename vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.731493441.0000000009700000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000000.695437793.00000000005E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeywor.exe8 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.725443597.0000000000666000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeywor.exe8 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepTMxytDGOEdKyjoZeSonSzqfykSeH.exe4 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepTMxytDGOEdKyjoZeSonSzqfykSeH.exe4 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.725851648.0000000000C8B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exeBinary or memory string: OriginalFilenameKeywor.exe8 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: IpkVblcOW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DHL Delivery Invoice AWB 2774038374.exeVirustotal: Detection: 32%
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile read: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeJump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe"
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile created: C:\Users\user\AppData\Roaming\IpkVblcOW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE166.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@4/1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_01
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_005E2C3C pushfd ; iretd
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_005E2C31 pushfd ; iretd
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B6452 pushfd ; iretd
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B1770 push esp; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B285F push ebx; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B58B8 push eax; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2A99 push ebx; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2DB2 push ebx; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B1CED push ecx; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2F09 push eax; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2F3C push ebx; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B3FD0 push ebx; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4E88 push ecx; ret
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_09863302 push edi; iretd
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_098632AF pushfd ; iretd
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_09863743 push ss; retf
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_09863EBD pushfd ; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.71584990689
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.71584990689
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile created: C:\Users\user\AppData\Roaming\IpkVblcOW.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.2a5f05c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374.exe PID: 7072, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe TID: 7076Thread sleep time: -36400s >= -30000s
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1476Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6843
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1593
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2203
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7641
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeThread delayed: delay time: 36400
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.725894876.0000000000CBF000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 00000008.00000003.936499007.0000000005F94000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D6E008
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000008.00000002.962791495.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000008.00000002.962791495.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000008.00000002.962791495.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000008.00000002.962791495.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.4560d10.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.4560d10.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.43d7a00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.436f1e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.723173768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.722802377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.722291160.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374.exe PID: 7072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1364, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1364, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.4560d10.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.4560d10.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.43d7a00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.436f1e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.723173768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.722802377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.722291160.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374.exe PID: 7072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1364, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection212Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture111System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSecurity Software Discovery311Distributed Component Object ModelInput Capture111Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 553160 Sample: DHL Delivery Invoice AWB 27... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus detection for dropped file 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 16 other signatures 2->41 7 DHL Delivery Invoice AWB 2774038374.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\IpkVblcOW.exe, PE32 7->23 dropped 25 C:\Users\...\IpkVblcOW.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpE166.tmp, XML 7->27 dropped 29 DHL Delivery Invoi... 2774038374.exe.log, ASCII 7->29 dropped 43 Writes to foreign memory regions 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 RegSvcs.exe 6 7->11         started        15 powershell.exe 24 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 smtp.yandex.ru 77.88.21.158, 49841, 49842, 587 YANDEXRU Russian Federation 11->31 33 smtp.yandex.com 11->33 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 4 other signatures 11->55 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DHL Delivery Invoice AWB 2774038374.exe33%VirustotalBrowse
                      DHL Delivery Invoice AWB 2774038374.exe100%AviraHEUR/AGEN.1140941
                      DHL Delivery Invoice AWB 2774038374.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\IpkVblcOW.exe100%AviraHEUR/AGEN.1140941
                      C:\Users\user\AppData\Roaming\IpkVblcOW.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\IpkVblcOW.exe53%ReversingLabsByteCode-MSIL.Trojan.RemLoader

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      0.0.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack100%AviraHEUR/AGEN.1140941Download File
                      8.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.jiyu-kobo.co.jp/A(0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/A(0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.comsioZ0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/%(0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comFk):0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fontbureau.comueed0%URL Reputationsafe
                      http://www.fontbureau.commta0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://AhCxzE4BnkjtzVVxo.com0%Avira URL Cloudsafe
                      http://www.carterandcone.comams.0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Curs0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/H(0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://yandex.ocsp-responder.com030%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.carterandcone.comtigJ?b0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0.0%Avira URL Cloudsafe
                      http://aZnPlk.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comtulk7(0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.yandex.ru
                      77.88.21.158
                      truefalse
                        high
                        smtp.yandex.com
                        unknown
                        unknownfalse
                          high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.jiyu-kobo.co.jp/A(DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://www.fontbureau.com/designersGDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com/designers/?DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bTheDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers?DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                high
                                http://www.jiyu-kobo.co.jp/a-dDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://yandex.crl.certum.pl/ycasha2.crl0qRegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.jiyu-kobo.co.jp/jp/A(DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.tiro.comDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.goodfont.co.krDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.comsioZDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/%(DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/-czDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.sajatypeworks.comDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://subca.ocsp-certum.com0.RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.typography.netDDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://repository.certum.pl/ca.cer09RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cn/cTheDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://fontfabrik.comDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comFk):DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730604458.0000000007DB0000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      low
                                      http://www.jiyu-kobo.co.jp//DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://subca.ocsp-certum.com01RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleaseDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      low
                                      http://www.fonts.comDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sandoll.co.krDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://crl.certum.pl/ca.cRegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.urwpp.deDPleaseDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sakkal.comDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://api.ipify.org%RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            low
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.722291160.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.certum.pl/CPS0RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comueedDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://repository.certum.pl/ycasha2.cer0RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.apache.org/licenses/LICENSE-2.0DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.701547719.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.701570124.0000000007DB4000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.comDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.commtaDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730604458.0000000007DB0000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://DynDns.comDynDNSRegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://repository.certum.pl/ctnca.cer09RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://AhCxzE4BnkjtzVVxo.comRegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963597761.00000000030A1000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963660199.00000000030D4000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.carterandcone.comams.DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://crl.certum.pl/ctnca.crl0kRegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.jiyu-kobo.co.jp/CursDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/FDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.certum.pl/CPS0RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.jiyu-kobo.co.jp/DDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.jiyu-kobo.co.jp/jp/DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.comaDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.jiyu-kobo.co.jp/H(DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://smtp.yandex.comRegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.carterandcone.comlDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://yandex.ocsp-responder.com03RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.founder.com.cn/cnDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.carterandcone.comtigJ?bDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.jiyu-kobo.co.jp/tDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703153587.0000000007DB4000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://crls.yandex.net/certum/ycasha2.crl0-RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://www.jiyu-kobo.co.jp/Y0.DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://aZnPlk.comRegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.fontbureau.comtulk7(DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  low
                                                                  http://www.jiyu-kobo.co.jp/DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.comoDHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers8DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://crl.certum.pl/ca.crl0hRegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpfalse
                                                                      high

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      77.88.21.158
                                                                      smtp.yandex.ruRussian Federation
                                                                      13238YANDEXRUfalse

                                                                      General Information

                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                      Analysis ID:553160
                                                                      Start date:14.01.2022
                                                                      Start time:12:12:23
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 10m 10s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:DHL Delivery Invoice AWB 2774038374.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:21
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@9/9@4/1
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HDC Information:
                                                                      • Successful, ratio: 1.4% (good quality ratio 0.8%)
                                                                      • Quality average: 34.4%
                                                                      • Quality standard deviation: 34.1%
                                                                      HCA Information:
                                                                      • Successful, ratio: 92%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      12:13:41API Interceptor1x Sleep call for process: DHL Delivery Invoice AWB 2774038374.exe modified
                                                                      12:13:45API Interceptor44x Sleep call for process: powershell.exe modified
                                                                      12:13:57API Interceptor723x Sleep call for process: RegSvcs.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASN

                                                                      No context

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Delivery Invoice AWB 2774038374.exe.log
                                                                      Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):1310
                                                                      Entropy (8bit):5.345651901398759
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                      MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                      SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                      SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                      SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                      Malicious:true
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):22404
                                                                      Entropy (8bit):5.603549403721627
                                                                      Encrypted:false
                                                                      SSDEEP:384:htCDxHHuqVlZ50+9ESBKn8jultI+77Y9gtjSJ3xqT1MaDZlbAV7glD8SZBDI+1zY:6tA4K8CltRf5cQCifwsTV4
                                                                      MD5:39B5A82F2DB48B9621A6697D7606C387
                                                                      SHA1:C4C2E21E9BC08A16ACF741AA72BEEF0E113A2930
                                                                      SHA-256:D33D7D553EAB4D3489383D29D63040D5AE3F689363E5F0A45C3EA77C2038BCA5
                                                                      SHA-512:471EE63396D1B7E115905E67D230995916BC59496CBEBBAF56194C85B66EFABB13F9D1CAA619410C91A2489FB11DB90A0CD1563898DD80C57D35FE42B28BAE30
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: @...e...................h.?.(.............I..........@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avxhqy0w.sb4.psm1
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview: 1
                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfx0fqqn.qzb.ps1
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:very short file (no magic)
                                                                      Category:dropped
                                                                      Size (bytes):1
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:U:U
                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                      Malicious:false
                                                                      Preview: 1
                                                                      C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                                                                      Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe
                                                                      File Type:XML 1.0 document, ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):1596
                                                                      Entropy (8bit):5.139399409850454
                                                                      Encrypted:false
                                                                      SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaHSxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTFv
                                                                      MD5:26A051C69290196F57034DA7D1E7709E
                                                                      SHA1:B44329D0FE08DB8E58ECAB7A7CF6689CD7D07227
                                                                      SHA-256:C16082D1E821A819EA4D274E12D7D656E83B359B2CA7B33DE143E60AFFC7B1B2
                                                                      SHA-512:F136BA6DCD40DBC2406DFA3EA89955A6CAC89A8B1D59F82D1973D32582C0AF0A817EA2315DA9DDA9CFCD992A7AC9D9961B4BAC5A74EB18E84729E198082B7582
                                                                      Malicious:true
                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                      C:\Users\user\AppData\Roaming\0stt4t3u.foi\Chrome\Default\Cookies
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):0.7006690334145785
                                                                      Encrypted:false
                                                                      SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                      MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                      SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                      SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                      SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                      Malicious:false
                                                                      Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                                                                      Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):541696
                                                                      Entropy (8bit):7.705207432104832
                                                                      Encrypted:false
                                                                      SSDEEP:12288:HeRK7777777777773PaXkKQOTHvyzB0a3k88leHI8lXjr7MdZFquU9n7F:GK7777777777773lKJviBf3mqpjv
                                                                      MD5:D746678ABD983EE65B7968607DE1E18C
                                                                      SHA1:AC41264273C252B60B7C1FB893324B4F3005C7E6
                                                                      SHA-256:9D69632F6791492FADAB28BEA034F7F18D29BC67FD6E7DB08BDBA847487DA47F
                                                                      SHA-512:ABC9E85926CFF036DBD6C29D4FCDEEAB9B61F9FCACC4FD54F66BE709208068A4FD94E3FED0B0BCA04D1ACA021EE557DEFE0647FC25172FD0F868BA245C4B7CB1
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 53%
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..a..............0..:..........nY... ...`....@.. ....................................@..................................Y..S....`............................................................................... ............... ..H............text...t9... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................PY......H..........@............................................................f.........b......0@.b......|......Gq....<(?=.N-.....XU...f..O.-.?.-..Z?............. .i.tQej!.....7..C.~......)hG..../.9,...1..a....1...w...3....,...p.....qeF....O..Z.........j..d..Bz ...r ..,....V..D.....\...\/._aJ..H.S..}.6jO72.....]|.3.....|.K._....5.5..&...v6y..w..Z....!y.a+...V.8[....M....._...lBF...Hj_.{$rL......x...-...b2... ....c..... .ymzuW....".....i...E>.c"_.Ci.k..-.....E4.i
                                                                      C:\Users\user\AppData\Roaming\IpkVblcOW.exe:Zone.Identifier
                                                                      Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:true
                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                      C:\Users\user\Documents\20220114\PowerShell_transcript.841675.Kswsc+3P.20220114121344.txt
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5785
                                                                      Entropy (8bit):5.397615946643736
                                                                      Encrypted:false
                                                                      SSDEEP:96:BZAj/N8qDo1ZzZpj/N8qDo1ZDcEqE0EjZSj/N8qDo1ZbbEkEkEZZi:jfTy55z
                                                                      MD5:D6B3C23FCD25D07358A19001D22FC386
                                                                      SHA1:12293D610A57C135C68011459FBA0482AA0066D6
                                                                      SHA-256:A3396A55BF59B7EEDAB4F780A1F780637991BF22902619AF14A7D7E6FDDEBF94
                                                                      SHA-512:4C6099DBEA13CAF2C2D44823CA037A5B7015E647975455D0CD6CCBD4BB7B39F60CB40E6B7CBC315921D6A1F774433EE39BE25F977C8C6A8CA6664FF35B9C6EEC
                                                                      Malicious:false
                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114121345..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841675 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\IpkVblcOW.exe..Process ID: 6412..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114121345..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\IpkVblcOW.exe..**********************..Windows PowerShell transcript start..Start time: 20220114121814..Username: computer\user..RunAs User: computer\user.

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.705207432104832
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:DHL Delivery Invoice AWB 2774038374.exe
                                                                      File size:541696
                                                                      MD5:d746678abd983ee65b7968607de1e18c
                                                                      SHA1:ac41264273c252b60b7c1fb893324b4f3005c7e6
                                                                      SHA256:9d69632f6791492fadab28bea034f7f18d29bc67fd6e7db08bdba847487da47f
                                                                      SHA512:abc9e85926cff036dbd6c29d4fcdeeab9b61f9fcacc4fd54f66be709208068a4fd94e3fed0b0bca04d1aca021ee557defe0647fc25172fd0f868ba245c4b7cb1
                                                                      SSDEEP:12288:HeRK7777777777773PaXkKQOTHvyzB0a3k88leHI8lXjr7MdZFquU9n7F:GK7777777777773lKJviBf3mqpjv
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..a..............0..:..........nY... ...`....@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:00828e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x48596e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x61E0BC40 [Thu Jan 13 23:56:48 2022 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:v4.0.30319
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x859180x53.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x5a8.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x839740x83a00False0.852322976021data7.71584990689IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x860000x5a80x600False0.419921875data4.07621192209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_VERSION0x860a00x31cdata
                                                                      RT_MANIFEST0x863bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      LegalCopyrightCopyright 2015
                                                                      Assembly Version1.0.0.0
                                                                      InternalNameKeywor.exe
                                                                      FileVersion1.0.0.0
                                                                      CompanyName
                                                                      LegalTrademarks
                                                                      Comments
                                                                      ProductNameram machine
                                                                      ProductVersion1.0.0.0
                                                                      FileDescriptionram machine
                                                                      OriginalFilenameKeywor.exe

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 14, 2022 12:15:26.167486906 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.220597029 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.220705986 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.466979980 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.467441082 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.520574093 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.520664930 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.521023989 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.574187994 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.629380941 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.684173107 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.684215069 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.684240103 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.684261084 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.684379101 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.684479952 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.745583057 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.801501989 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.868572950 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.902798891 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:26.956233978 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:26.957650900 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.011046886 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.023799896 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.092269897 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.093909025 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.158292055 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.161176920 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.219495058 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.220213890 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.273446083 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.275986910 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.276510000 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.277508974 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.277640104 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:27.329519987 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.330472946 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.827804089 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:27.868640900 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:28.552953005 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:28.607660055 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:28.607686043 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:28.608239889 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:28.625484943 CET49841587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:28.679210901 CET5874984177.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:28.787164927 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:28.847893953 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:28.848299026 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.150554895 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.150820971 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.211287022 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.211329937 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.211972952 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.272480965 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.273148060 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.336481094 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.336514950 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.336534023 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.336555004 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.336635113 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.336692095 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.341114998 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.402642012 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.405498028 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.466238976 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.468667030 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.529733896 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.530705929 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.608129025 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.609946966 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.680717945 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.681868076 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.750207901 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.750885010 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.812032938 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.813957930 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.814150095 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.814244032 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.814341068 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.814515114 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.814659119 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.814697027 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.814779043 CET49842587192.168.2.477.88.21.158
                                                                      Jan 14, 2022 12:15:29.874444008 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.874646902 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.874839067 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.874917030 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:29.917809010 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:30.453747988 CET5874984277.88.21.158192.168.2.4
                                                                      Jan 14, 2022 12:15:30.509597063 CET49842587192.168.2.477.88.21.158

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 14, 2022 12:15:26.087116003 CET6311653192.168.2.48.8.8.8
                                                                      Jan 14, 2022 12:15:26.106892109 CET53631168.8.8.8192.168.2.4
                                                                      Jan 14, 2022 12:15:26.124697924 CET6407853192.168.2.48.8.8.8
                                                                      Jan 14, 2022 12:15:26.144438028 CET53640788.8.8.8192.168.2.4
                                                                      Jan 14, 2022 12:15:28.679773092 CET6480153192.168.2.48.8.8.8
                                                                      Jan 14, 2022 12:15:28.698627949 CET53648018.8.8.8192.168.2.4
                                                                      Jan 14, 2022 12:15:28.707578897 CET6172153192.168.2.48.8.8.8
                                                                      Jan 14, 2022 12:15:28.785387993 CET53617218.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jan 14, 2022 12:15:26.087116003 CET192.168.2.48.8.8.80x97c7Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                      Jan 14, 2022 12:15:26.124697924 CET192.168.2.48.8.8.80x1636Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                      Jan 14, 2022 12:15:28.679773092 CET192.168.2.48.8.8.80xa90cStandard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                      Jan 14, 2022 12:15:28.707578897 CET192.168.2.48.8.8.80x251bStandard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jan 14, 2022 12:15:26.106892109 CET8.8.8.8192.168.2.40x97c7No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                      Jan 14, 2022 12:15:26.106892109 CET8.8.8.8192.168.2.40x97c7No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                      Jan 14, 2022 12:15:26.144438028 CET8.8.8.8192.168.2.40x1636No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                      Jan 14, 2022 12:15:26.144438028 CET8.8.8.8192.168.2.40x1636No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                      Jan 14, 2022 12:15:28.698627949 CET8.8.8.8192.168.2.40xa90cNo error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                      Jan 14, 2022 12:15:28.698627949 CET8.8.8.8192.168.2.40xa90cNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                      Jan 14, 2022 12:15:28.785387993 CET8.8.8.8192.168.2.40x251bNo error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                      Jan 14, 2022 12:15:28.785387993 CET8.8.8.8192.168.2.40x251bNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Jan 14, 2022 12:15:26.466979980 CET5874984177.88.21.158192.168.2.4220 iva6-2d18925256a6.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642158926-aZNwVR2QUL-FQPK1Hth
                                                                      Jan 14, 2022 12:15:26.467441082 CET49841587192.168.2.477.88.21.158EHLO 841675
                                                                      Jan 14, 2022 12:15:26.520664930 CET5874984177.88.21.158192.168.2.4250-iva6-2d18925256a6.qloud-c.yandex.net
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-SIZE 53477376
                                                                      250-STARTTLS
                                                                      250-AUTH LOGIN PLAIN XOAUTH2
                                                                      250-DSN
                                                                      250 ENHANCEDSTATUSCODES
                                                                      Jan 14, 2022 12:15:26.521023989 CET49841587192.168.2.477.88.21.158STARTTLS
                                                                      Jan 14, 2022 12:15:26.574187994 CET5874984177.88.21.158192.168.2.4220 Go ahead
                                                                      Jan 14, 2022 12:15:29.150554895 CET5874984277.88.21.158192.168.2.4220 iva3-dd2bb2ff2b5f.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642158929-9qUrbSArjI-FSQSnRDh
                                                                      Jan 14, 2022 12:15:29.150820971 CET49842587192.168.2.477.88.21.158EHLO 841675
                                                                      Jan 14, 2022 12:15:29.211329937 CET5874984277.88.21.158192.168.2.4250-iva3-dd2bb2ff2b5f.qloud-c.yandex.net
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-SIZE 53477376
                                                                      250-STARTTLS
                                                                      250-AUTH LOGIN PLAIN XOAUTH2
                                                                      250-DSN
                                                                      250 ENHANCEDSTATUSCODES
                                                                      Jan 14, 2022 12:15:29.211972952 CET49842587192.168.2.477.88.21.158STARTTLS
                                                                      Jan 14, 2022 12:15:29.272480965 CET5874984277.88.21.158192.168.2.4220 Go ahead

                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Start time:12:13:34
                                                                      Start date:14/01/2022
                                                                      Path:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe"
                                                                      Imagebase:0x5e0000
                                                                      File size:541696 bytes
                                                                      MD5 hash:D746678ABD983EE65B7968607DE1E18C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      General

                                                                      Start time:12:13:43
                                                                      Start date:14/01/2022
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                                                                      Imagebase:0x930000
                                                                      File size:430592 bytes
                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:13:43
                                                                      Start date:14/01/2022
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:13:43
                                                                      Start date:14/01/2022
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                                                                      Imagebase:0x360000
                                                                      File size:185856 bytes
                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:13:44
                                                                      Start date:14/01/2022
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:13:46
                                                                      Start date:14/01/2022
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Imagebase:0xa60000
                                                                      File size:45152 bytes
                                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.723173768.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.723173768.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.722802377.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.722802377.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.722291160.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.722291160.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >