Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL Delivery Invoice AWB 2774038374 .pdf.exe

Overview

General Information

Sample Name:DHL Delivery Invoice AWB 2774038374 .pdf.exe
Analysis ID:553161
MD5:a44512118be5e5420c9d710a96353898
SHA1:5867f5faf6acfa48b90f21d655411fd98d50136d
SHA256:9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Uses an obfuscated file name to hide its real file extension (double extension)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL Delivery Invoice AWB 2774038374 .pdf.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" MD5: A44512118BE5E5420C9D710A96353898)
    • powershell.exe (PID: 6916 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6936 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 7092 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "vladmir@amova.ga", "Password": "marcellinus360", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                13.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  13.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    13.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7092
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, ProcessId: 6936
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, ProcessId: 6916
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7092
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe, ParentProcessId: 6344, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, ProcessId: 6916
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866648308116717.6916.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "vladmir@amova.ga", "Password": "marcellinus360", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeVirustotal: Detection: 33%Perma Link
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeReversingLabs: Detection: 51%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeAvira: detection malicious, Label: HEUR/AGEN.1140941
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeReversingLabs: Detection: 51%
                      Machine Learning detection for sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJoe Sandbox ML: detected
                      Source: 13.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                      Source: 13.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04F474DC
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04F4A7A8
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 77.88.21.158:587
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comG
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comangN
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comext:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comscreen
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comzJo
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287899875.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286577441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/r-t
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comC.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF)
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.294356101.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.319948570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcep/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdaF
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed~
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritah
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituFM
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comony
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv)
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283731492.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283792623.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283823226.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283661315.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283605847.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283550929.0000000007E5A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283745473.0000000007E5A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283179466.0000000007E3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnNJ
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288563700.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288487364.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/D
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e-e
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284762977.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284668327.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284697527.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rs
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288374211.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288394129.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288428074.0000000007E5B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.:
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281322115.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comoftU
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comres#
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283808495.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283862148.0000000007E2D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: http://ykYQwS.com
                      Source: RegSvcs.exe, 0000000D.00000002.551775173.00000000032ED000.00000004.00000001.sdmpString found in binary or memory: https://I0Mrtx23jQBQ7aEbHqQ.com
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01360D50 SetWindowsHookExW 0000000D,00000000,?,?13_2_01360D50
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCB5D8163u002dDDD9u002d461Du002d8999u002d58E4C6CEA2EEu007d/C320B9C2u002dBC65u002d4DC5u002dADE0u002d8F7E52CC18E7.csLarge array initialization: .cctor: array initializer size 11950
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010121C00_2_010121C0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010117A80_2_010117A8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_0101B61C0_2_0101B61C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01010F980_2_01010F98
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010153E30_2_010153E3
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010153E80_2_010153E8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010152200_2_01015220
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010152300_2_01015230
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010104700_2_01010470
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010156200_2_01015620
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010156280_2_01015628
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_010158310_2_01015831
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01014B100_2_01014B10
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01014B200_2_01014B20
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_01010F850_2_01010F85
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F4560C0_2_04F4560C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F480D80_2_04F480D8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F480CA0_2_04F480CA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F73C7013_2_00F73C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7604813_2_00F76048
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7DC0013_2_00F7DC00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7410813_2_00F74108
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7A27013_2_00F7A270
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7121E13_2_00F7121E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F740F913_2_00F740F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7BC4013_2_00F7BC40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7D3F013_2_00F7D3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121359013_2_01213590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01214C6813_2_01214C68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012108B013_2_012108B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121809813_2_01218098
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121AF1013_2_0121AF10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0121BC5013_2_0121BC50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012188E813_2_012188E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_012187E913_2_012187E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136952013_2_01369520
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136A89013_2_0136A890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136136013_2_01361360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BED6813_2_013BED68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B68B013_2_013B68B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B5B5013_2_013B5B50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B562013_2_013B5620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013B369813_2_013B3698
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BE2C813_2_013BE2C8
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeBinary or memory string: OriginalFilename vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320700009.000000000AFD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJzdZfqxlSCjboeRXxLugro.exe4 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000000.277349228.0000000000672000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315845483.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.315495501.00000000006F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeBinary or memory string: OriginalFilenameNamedPermissionS.exe8 vs DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: uHlRqGSIW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeVirustotal: Detection: 33%
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeReversingLabs: Detection: 51%
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile read: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeJump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe"
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmpJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCDD.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@2/1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeCode function: 0_2_04F46380 push eax; retf 0_2_04F46381
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0136D594 push ebx; iretd 13_2_0136D595
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013BB597 push edi; retn 0000h13_2_013BB599
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.72362140685
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.72362140685
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: \dhl delivery invoice awb 2774038374 .pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeFile created: C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: DHL Delivery Invoice AWB 2774038374 .pdf.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.2a6f26c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe TID: 6348Thread sleep time: -35447s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe TID: 6420Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7340Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2740Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7099Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeThread delayed: delay time: 35447Jump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
                      Source: DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_00F7EFB8 LdrInitializeThunk,13_2_00F7EFB8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmpJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: RegSvcs.exe, 0000000D.00000002.549155778.0000000001910000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.43eba80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4383260.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4574d90.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.43eba80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.4383260.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7092, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture211System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information13Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSecurity Software Discovery311Distributed Component Object ModelInput Capture211Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 553161 Sample: DHL Delivery Invoice AWB 27... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus detection for dropped file 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 17 other signatures 2->41 7 DHL Delivery Invoice AWB 2774038374 .pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\uHlRqGSIW.exe, PE32 7->23 dropped 25 C:\Users\...\uHlRqGSIW.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\tmpCDD.tmp, XML 7->27 dropped 29 DHL Delivery Invoi...038374 .pdf.exe.log, ASCII 7->29 dropped 43 Adds a directory exclusion to Windows Defender 7->43 11 RegSvcs.exe 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 smtp.yandex.ru 77.88.21.158, 49811, 49812, 587 YANDEXRU Russian Federation 11->31 33 smtp.yandex.com 11->33 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 5 other signatures 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe33%VirustotalBrowse
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe51%ReversingLabsByteCode-MSIL.Trojan.Taskun
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe100%AviraHEUR/AGEN.1140941
                      DHL Delivery Invoice AWB 2774038374 .pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\uHlRqGSIW.exe100%AviraHEUR/AGEN.1140941
                      C:\Users\user\AppData\Roaming\uHlRqGSIW.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\uHlRqGSIW.exe51%ReversingLabsByteCode-MSIL.Trojan.Taskun

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      13.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      0.0.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack100%AviraHEUR/AGEN.1140941Download File
                      13.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.DHL Delivery Invoice AWB 2774038374 .pdf.exe.670000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                      13.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      13.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.fontbureau.comd60%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://ykYQwS.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
                      http://www.fontbureau.comessed0%URL Reputationsafe
                      http://www.fontbureau.comessed~0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                      http://www.fontbureau.comcep/0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.fontbureau.com60%Avira URL Cloudsafe
                      http://www.fontbureau.comrsiv)0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.fontbureau.comcomd0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comext:0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/M0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
                      http://www.fontbureau.comituFM0%Avira URL Cloudsafe
                      http://www.carterandcone.comscreen0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
                      http://www.carterandcone.comzJo0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/e-e0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
                      http://www.carterandcone.comy:0%Avira URL Cloudsafe
                      http://www.monotype.:0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/rs0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com.0%URL Reputationsafe
                      http://www.sajatypeworks.comoftU0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.sajatypeworks.com80%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/M0%URL Reputationsafe
                      http://www.founder.com.cn/cnNJ0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.comres#0%Avira URL Cloudsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fontbureau.comFM0%Avira URL Cloudsafe
                      http://www.carterandcone.com-0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://subca.ocsp-certum.com0.0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.fontbureau.comgritah0%Avira URL Cloudsafe
                      http://www.fontbureau.comony0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comB.TTF0%URL Reputationsafe
                      http://subca.ocsp-certum.com010%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.fontbureau.comdaF0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.carterandcone.comG0%Avira URL Cloudsafe
                      http://www.fontbureau.comR.TTF0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/Z0%URL Reputationsafe
                      http://www.fontbureau.comF)0%Avira URL Cloudsafe
                      https://I0Mrtx23jQBQ7aEbHqQ.com0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comW.TTFM0%Avira URL Cloudsafe
                      http://www.carterandcone.comangN0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/q0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.galapagosdesign.com/D0%Avira URL Cloudsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.fontbureau.comC.TTF0%Avira URL Cloudsafe
                      http://yandex.ocsp-responder.com030%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.yandex.ru
                      		77.88.21.158
                      		truefalse
                        		high
                        smtp.yandex.com
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.comd6DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://ykYQwS.comRegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/a-dDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comessedDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comessed~DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.sajatypeworks.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281322115.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://repository.certum.pl/ca.cer09RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/6DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comcep/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.ascendercorp.com/typedesigners.htmlDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com6DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comrsiv)DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.urwpp.deDPleaseDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmpfalse
                                		high
                                https://api.ipify.org%RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		low
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.certum.pl/CPS0RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/ZDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comcomdDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.certum.pl/ctnca.crl0kRegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.comext:DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/MDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/DDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://smtp.yandex.comRegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283731492.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283792623.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283823226.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283661315.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283605847.0000000007E58000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283550929.0000000007E5A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283745473.0000000007E5A000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                        		high
                                        http://crls.yandex.net/certum/ycasha2.crl0-RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/qDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comituFMDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comscreenDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/hDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284762977.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284668327.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284697527.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comzJoDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/e-eDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/cDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comy:DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.monotype.:DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288374211.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288394129.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288428074.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/rsDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284982681.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.com.DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281785804.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281399415.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281579200.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281482563.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281742472.0000000007E3B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comoftUDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designersGDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/?DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bTheDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers?DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.com8DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://yandex.crl.certum.pl/ycasha2.crl0qRegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/jp/MDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285101523.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnNJDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283179466.0000000007E3E000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiro.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283843116.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283808495.0000000007E3A000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283862148.0000000007E2D000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.goodfont.co.krDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sajatypeworks.comres#DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.281251380.0000000007E3B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comFMDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.com-DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284388284.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.jiyu-kobo.co.jp/~DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285728184.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285777761.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285673906.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285590318.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://subca.ocsp-certum.com0.RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.typography.netDDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comgritahDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comonyDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.galapagosdesign.com/staff/dennis.htmDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://fontfabrik.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comB.TTFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://subca.ocsp-certum.com01RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		low
                                                  http://www.fontbureau.comdaFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fonts.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sandoll.co.krDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sakkal.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285603469.0000000007E2B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.comGDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284461330.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.comR.TTFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/ZDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comF)DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://repository.certum.pl/ycasha2.cer0RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://I0Mrtx23jQBQ7aEbHqQ.comRegSvcs.exe, 0000000D.00000002.551775173.00000000032ED000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287696252.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287744494.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287899875.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287446156.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287381092.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286577441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287279265.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287655186.0000000007E5F000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287867201.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287413690.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287674441.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287813406.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287338663.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287316363.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287484631.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287598239.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287634570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287559529.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://DynDns.comDynDNSRegSvcs.exe, 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287238145.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287160159.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287190726.0000000007E5B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://repository.certum.pl/ctnca.cer09RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comW.TTFMDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comangNDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284399905.0000000007E2D000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/jp/qDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285158402.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.certum.pl/CPS0RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/jp/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285270472.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284835942.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.284909377.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285519817.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.comaDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291026104.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291195934.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291081649.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.294356101.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291322066.0000000007E59000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.319948570.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.291229679.0000000007E3B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.290986801.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/DDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288563700.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288455261.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.288487364.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comdDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287133112.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286605058.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.comC.TTFDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286974463.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286850968.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286893742.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286646679.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286946694.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286723447.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286813060.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286789746.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287021458.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286754815.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286677789.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286873547.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.287063519.0000000007E5B000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://yandex.ocsp-responder.com03RegSvcs.exe, 0000000D.00000002.556707747.0000000006218000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.556166349.00000000061BF000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.551946077.00000000032F3000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.552355961.0000000003335000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000002.320018670.0000000009032000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cnDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.283132405.0000000007E3A000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/r-tDHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286437473.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286553878.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286457867.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286420009.0000000007E5B000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.286523913.0000000007E5B000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/DHL Delivery Invoice AWB 2774038374 .pdf.exe, 00000000.00000003.285632819.0000000007E5B000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  77.88.21.158
                                                                  		smtp.yandex.ruRussian Federation
                                                                  		13238YANDEXRUfalse

                                                                  General Information

                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                  Analysis ID:553161
                                                                  Start date:14.01.2022
                                                                  Start time:12:12:25
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 22s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:25
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@9/9@2/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 1.4% (good quality ratio 0.9%)
                                                                  • Quality average: 40%
                                                                  • Quality standard deviation: 33.9%
                                                                  HCA Information:
                                                                  • Successful, ratio: 99%
                                                                  • Number of executed functions: 62
                                                                  • Number of non-executed functions: 15
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.6.115, 20.54.110.249
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  12:13:49API Interceptor1x Sleep call for process: DHL Delivery Invoice AWB 2774038374 .pdf.exe modified
                                                                  12:13:53API Interceptor28x Sleep call for process: powershell.exe modified
                                                                  12:14:07API Interceptor719x Sleep call for process: RegSvcs.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  77.88.21.1583NeufRwoxF.exeGet hashmaliciousBrowse
                                                                    O53TFikPkp.exeGet hashmaliciousBrowse
                                                                      V5Al4cc8RL.exeGet hashmaliciousBrowse
                                                                        RFQ7534567.docGet hashmaliciousBrowse
                                                                          MT106_11-Advance.Payment.exeGet hashmaliciousBrowse
                                                                            DHL Delivery Invoice AWB 2774038374.pdf.exeGet hashmaliciousBrowse
                                                                              DHL Delivery Invoice AWB 2774038374.exeGet hashmaliciousBrowse
                                                                                Enquiries #oPU46rkEAKUhyA4.pdf.exeGet hashmaliciousBrowse
                                                                                  PUCHASE INQUIRIES.exeGet hashmaliciousBrowse
                                                                                    JG4wxLFjVx.exeGet hashmaliciousBrowse
                                                                                      VCoycS3b62.exeGet hashmaliciousBrowse
                                                                                        zVd17VxIfi.exeGet hashmaliciousBrowse
                                                                                          DHL Delivery Invoice AWB 2774038374.exeGet hashmaliciousBrowse
                                                                                            8456754.docGet hashmaliciousBrowse
                                                                                              RFQ56767.docGet hashmaliciousBrowse
                                                                                                fHVTaKcT0C.exeGet hashmaliciousBrowse
                                                                                                  Payment 20211229.exeGet hashmaliciousBrowse
                                                                                                    Purchase_order_scan.exeGet hashmaliciousBrowse
                                                                                                      pNPpAW7x5N.exeGet hashmaliciousBrowse
                                                                                                        PKO_TRANS_DETAILS_20211216_0809521.exeGet hashmaliciousBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          smtp.yandex.ru3NeufRwoxF.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          O53TFikPkp.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          V5Al4cc8RL.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          RFQ7534567.docGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          MT106_11-Advance.Payment.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          DHL Delivery Invoice AWB 2774038374.pdf.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          DHL Delivery Invoice AWB 2774038374.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Enquiries #oPU46rkEAKUhyA4.pdf.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          PUCHASE INQUIRIES.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          64795.docGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          JG4wxLFjVx.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          VCoycS3b62.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          zVd17VxIfi.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          DHL Delivery Invoice AWB 2774038374.pdf.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          DHL Delivery Invoice AWB 2774038374.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          8456754.docGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          PURCHASE INQUIRIES.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          RFQ56767.docGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          SO#_UPSDT_INVOICE.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          fHVTaKcT0C.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158

                                                                                                          ASN

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          YANDEXRUZiraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.37
                                                                                                          3NeufRwoxF.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          O53TFikPkp.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          1Nb1LqIIq2Get hashmaliciousBrowse
                                                                                                          • 95.108.137.46
                                                                                                          V5Al4cc8RL.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          RFQ7534567.docGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.37
                                                                                                          Halkbank_Ekstre_20210825_073604_628391.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.37
                                                                                                          MT106_11-Advance.Payment.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          DHL Delivery Invoice AWB 2774038374.pdf.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          DHL Delivery Invoice AWB 2774038374.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          4nmeEJrZJ9.exeGet hashmaliciousBrowse
                                                                                                          • 5.255.255.5
                                                                                                          Enquiries #oPU46rkEAKUhyA4.pdf.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          PUCHASE INQUIRIES.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          default.htmlGet hashmaliciousBrowse
                                                                                                          • 77.88.21.119
                                                                                                          JG4wxLFjVx.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          VCoycS3b62.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          zVd17VxIfi.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          DHL Delivery Invoice AWB 2774038374.exeGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158
                                                                                                          8456754.docGet hashmaliciousBrowse
                                                                                                          • 77.88.21.158

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Delivery Invoice AWB 2774038374 .pdf.exe.log
                                                                                                          Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):1310
                                                                                                          Entropy (8bit):5.345651901398759
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                                                          MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                                                          SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                                                          SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                                                          SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                                                          Malicious:true
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):22308
                                                                                                          Entropy (8bit):5.603099437777812
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:1tCD3Y0nVrWZBf9sFu5SrRn8S0nojultISP7Y9glSJ3xKT1MaXZlbAV7sxwG5ZBQ:Pj1sio8ToClttrlcICefwkVc
                                                                                                          MD5:DEC43304DCD2328F7D8DF2EEB1F46AFD
                                                                                                          SHA1:1616F15BA49499E2AF5F150D07B56C9BBA05CAE2
                                                                                                          SHA-256:25DC17278CD1D2818386B1C56AC734607F636091D6C3396D3A48FBBE41B837DA
                                                                                                          SHA-512:5C3EC6D0EB58FBA25A90DE636EB05E48F8BA80BCCA863E2D9A94514944A6ACF1D576BCDE88ACD37BF79FD613D16CEEEE475F58715F040AD7FD3CD989736A3CEB
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview: @...e...................e...^.X.U.....M...D..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2s24r22.hk2.ps1
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview: 1
                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnebz11w.tod.psm1
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:very short file (no magic)
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1
                                                                                                          Entropy (8bit):0.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:U:U
                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview: 1
                                                                                                          C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                                                                                                          Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1600
                                                                                                          Entropy (8bit):5.13189504670977
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt+xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTyv
                                                                                                          MD5:73DF604589172A494DE9CCA5E3D7A16E
                                                                                                          SHA1:181096A65607DAB9B1C31F77402B52EB30DFCACD
                                                                                                          SHA-256:4DFA1BC1558CD76B1C9CF89CF7A3CA77170452041C32EE28D9C239E4249C394F
                                                                                                          SHA-512:15ADB4BC30D945BC56CAE5D948B21B3B6C725236419BA8EB98345D060E189966814F04ED842CC0D94839AB6830DF72E289C54F24EF3E6224C453BF626595A5CB
                                                                                                          Malicious:true
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.
                                                                                                          C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                                                                                                          Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):550400
                                                                                                          Entropy (8bit):7.713292286610871
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:pCCqskK777777777777KPQly5rwG67HrPGH6oMSDnL2CgfeWhrek:pCnK777777777777KodpfuH6zSjLt
                                                                                                          MD5:A44512118BE5E5420C9D710A96353898
                                                                                                          SHA1:5867F5FAF6ACFA48B90F21D655411FD98D50136D
                                                                                                          SHA-256:9CA32954BC9AE96F11D246CA45443522A731631C154F768938C556869E01B555
                                                                                                          SHA-512:A8251DCA003FF59B30681FC6AF02F18373638C8A6485D1EA73AB8299A02D287CB5C55F36BF30F960C7951259827B3D48EDAFD6A032E437CE5DB1C889BA230F01
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 51%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..a..............0..\...........y... ........@.. ....................................@..................................y..O.................................................................................... ............... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................y......H.......@...l...............P............................................up~..y.AUu&.2r.K.L@...#g.g.2..k..g.E%.;UN..C.9....G........s5K.W[..Yg..A..t...j...t{.....%../..z.NM.Y..b.N.A.1{.6.s.].U..X.."dO...h8O.5b..I.O..b...y.N.J.[..D..Vb.....yY....J7.......Z(......XM.0q...>a...3a.-(O]^..3...........<.......H..CR.U.......L.b^.Ak.a{b.f.......z.6..o..X..Z...,c..{.&.3S.=x...c1:.<.Lo2.[....8fPG...4..M.-.f.....V..g.......z.........,l.|G....g`..pA-...#..O.[..h.,.*@..
                                                                                                          C:\Users\user\AppData\Roaming\uHlRqGSIW.exe:Zone.Identifier
                                                                                                          Process:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:true
                                                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                                                          C:\Users\user\AppData\Roaming\yqbb5t2l.acx\Chrome\Default\Cookies
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                          Category:dropped
                                                                                                          Size (bytes):20480
                                                                                                          Entropy (8bit):0.698304057893793
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
                                                                                                          MD5:3806E8153A55C1A2DA0B09461A9C882A
                                                                                                          SHA1:BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
                                                                                                          SHA-256:366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
                                                                                                          SHA-512:31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
                                                                                                          Malicious:false
                                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\Documents\20220114\PowerShell_transcript.414408.8ocki2zp.20220114121352.txt
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):5795
                                                                                                          Entropy (8bit):5.395583878877797
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:BZN/jNsqDo1ZpZz/jNsqDo1ZiFftjZk/jNsqDo1ZisddfZg:N
                                                                                                          MD5:C21A8A6A317627BC5A69E31FAF91D394
                                                                                                          SHA1:6B2DE34F22814D565DF6DE4EC4CAAD2CF454F894
                                                                                                          SHA-256:B03D80345CD4A86A1A5176787D87F97434FD9A9661709B48049DBB5A451C6D7F
                                                                                                          SHA-512:3CA45FF9627199A0F6CDB32B23E76DA16BDA09A2748D431F70B95670E769FC1A1EA2BCBDDCB186AEA5567E4E9F4DA5F23A321225D73B1740A1742E224FB66241
                                                                                                          Malicious:false
                                                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114121353..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uHlRqGSIW.exe..Process ID: 6916..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114121353..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uHlRqGSIW.exe..**********************..Windows PowerShell transcript start..Start time: 20220114121720..Username: computer\user..RunAs User: computer\a

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.713292286610871
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                                                          File size:550400
                                                                                                          MD5:a44512118be5e5420c9d710a96353898
                                                                                                          SHA1:5867f5faf6acfa48b90f21d655411fd98d50136d
                                                                                                          SHA256:9ca32954bc9ae96f11d246ca45443522a731631c154f768938c556869e01b555
                                                                                                          SHA512:a8251dca003ff59b30681fc6af02f18373638c8a6485d1ea73ab8299a02d287cb5c55f36bf30f960c7951259827b3d48edafd6a032e437ce5db1c889ba230f01
                                                                                                          SSDEEP:12288:pCCqskK777777777777KPQly5rwG67HrPGH6oMSDnL2CgfeWhrek:pCnK777777777777KodpfuH6zSjLt
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..a..............0..\...........y... ........@.. ....................................@................................

                                                                                                          File Icon

                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4879fe
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x61E0B96F [Thu Jan 13 23:44:47 2022 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x879ac0x4f.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x5d0.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000x85a040x85c00False0.852915084696data7.72362140685IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x880000x5d00x600False0.42578125data4.12284332738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x8a0000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_VERSION0x880a00x344data
                                                                                                          RT_MANIFEST0x883e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Version Infos

                                                                                                          DescriptionData
                                                                                                          Translation0x0000 0x04b0
                                                                                                          LegalCopyrightCopyright 2015
                                                                                                          Assembly Version1.0.0.0
                                                                                                          InternalNameNamedPermissionS.exe
                                                                                                          FileVersion1.0.0.0
                                                                                                          CompanyName
                                                                                                          LegalTrademarks
                                                                                                          Comments
                                                                                                          ProductNameram machine
                                                                                                          ProductVersion1.0.0.0
                                                                                                          FileDescriptionram machine
                                                                                                          OriginalFilenameNamedPermissionS.exe

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 14, 2022 12:15:33.874509096 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:33.937074900 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:33.937484980 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.235848904 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.236306906 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.301373959 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.301402092 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.301743031 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.364252090 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.405864954 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.413069963 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.478431940 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.478491068 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.478533983 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.478569031 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.478611946 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.478658915 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.532310009 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.599275112 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.640250921 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.721071959 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.791799068 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.793009996 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.855753899 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.857422113 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:34.946932077 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:34.947916985 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:35.020853996 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:35.021354914 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:35.094919920 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:35.095390081 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:35.158451080 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:35.160027027 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:35.160221100 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:35.161396027 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:35.161506891 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:35.223469019 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:35.224037886 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:35.784244061 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:35.827836990 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:36.580534935 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:36.643496037 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:36.643518925 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:36.644445896 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:36.659677982 CET49811587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:36.660762072 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:36.719041109 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:36.720439911 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:36.722167969 CET5874981177.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:36.943209887 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:36.943656921 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.002892971 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.002964973 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.003392935 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.062109947 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.063049078 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.132071018 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.132101059 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.132119894 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.132133961 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.132322073 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.148504019 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.213006973 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.216746092 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.287678003 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.288562059 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.351753950 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.352478981 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.448348045 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.449217081 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.532568932 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.533130884 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.622792959 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.623269081 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.685412884 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.687798023 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.687963009 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.688097000 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.688380957 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.688657045 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.688740969 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.688827991 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.688916922 CET49812587192.168.2.577.88.21.158
                                                                                                          Jan 14, 2022 12:15:37.743338108 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.744195938 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.744332075 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:37.744668961 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:38.089783907 CET5874981277.88.21.158192.168.2.5
                                                                                                          Jan 14, 2022 12:15:38.140506983 CET49812587192.168.2.577.88.21.158

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 14, 2022 12:15:33.791867971 CET6007553192.168.2.58.8.8.8
                                                                                                          Jan 14, 2022 12:15:33.811069965 CET53600758.8.8.8192.168.2.5
                                                                                                          Jan 14, 2022 12:15:33.826654911 CET5501653192.168.2.58.8.8.8
                                                                                                          Jan 14, 2022 12:15:33.844248056 CET53550168.8.8.8192.168.2.5

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Jan 14, 2022 12:15:33.791867971 CET192.168.2.58.8.8.80xf445Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                                          Jan 14, 2022 12:15:33.826654911 CET192.168.2.58.8.8.80xdac9Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Jan 14, 2022 12:15:33.811069965 CET8.8.8.8192.168.2.50xf445No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                          Jan 14, 2022 12:15:33.811069965 CET8.8.8.8192.168.2.50xf445No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                                          Jan 14, 2022 12:15:33.844248056 CET8.8.8.8192.168.2.50xdac9No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                                          Jan 14, 2022 12:15:33.844248056 CET8.8.8.8192.168.2.50xdac9No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                                          SMTP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                          Jan 14, 2022 12:15:34.235848904 CET5874981177.88.21.158192.168.2.5220 myt6-efff10c3476a.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642158934-DxmiumVCju-FXPeFLdT
                                                                                                          Jan 14, 2022 12:15:34.236306906 CET49811587192.168.2.577.88.21.158EHLO 414408
                                                                                                          Jan 14, 2022 12:15:34.301402092 CET5874981177.88.21.158192.168.2.5250-myt6-efff10c3476a.qloud-c.yandex.net
                                                                                                          250-8BITMIME
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 53477376
                                                                                                          250-STARTTLS
                                                                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                          250-DSN
                                                                                                          250 ENHANCEDSTATUSCODES
                                                                                                          Jan 14, 2022 12:15:34.301743031 CET49811587192.168.2.577.88.21.158STARTTLS
                                                                                                          Jan 14, 2022 12:15:34.364252090 CET5874981177.88.21.158192.168.2.5220 Go ahead
                                                                                                          Jan 14, 2022 12:15:36.943209887 CET5874981277.88.21.158192.168.2.5220 iva5-057a0d1fbbd8.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642158936-fWlcdS4Ymy-FaQiJarb
                                                                                                          Jan 14, 2022 12:15:36.943656921 CET49812587192.168.2.577.88.21.158EHLO 414408
                                                                                                          Jan 14, 2022 12:15:37.002964973 CET5874981277.88.21.158192.168.2.5250-iva5-057a0d1fbbd8.qloud-c.yandex.net
                                                                                                          250-8BITMIME
                                                                                                          250-PIPELINING
                                                                                                          250-SIZE 53477376
                                                                                                          250-STARTTLS
                                                                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                          250-DSN
                                                                                                          250 ENHANCEDSTATUSCODES
                                                                                                          Jan 14, 2022 12:15:37.003392935 CET49812587192.168.2.577.88.21.158STARTTLS
                                                                                                          Jan 14, 2022 12:15:37.062109947 CET5874981277.88.21.158192.168.2.5220 Go ahead

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344 Parent PID: 484

                                                                                                          General

                                                                                                          Start time:12:13:40
                                                                                                          Start date:14/01/2022
                                                                                                          Path:C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374 .pdf.exe"
                                                                                                          Imagebase:0x670000
                                                                                                          File size:550400 bytes
                                                                                                          MD5 hash:A44512118BE5E5420C9D710A96353898
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.316625464.00000000029F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.317173851.00000000041F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:low

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: powershell.exe PID: 6916 Parent PID: 6344

                                                                                                          General

                                                                                                          Start time:12:13:50
                                                                                                          Start date:14/01/2022
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uHlRqGSIW.exe
                                                                                                          Imagebase:0x9a0000
                                                                                                          File size:430592 bytes
                                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: conhost.exe PID: 6924 Parent PID: 6916

                                                                                                          General

                                                                                                          Start time:12:13:51
                                                                                                          Start date:14/01/2022
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7ecfc0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: schtasks.exe PID: 6936 Parent PID: 6344

                                                                                                          General

                                                                                                          Start time:12:13:51
                                                                                                          Start date:14/01/2022
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uHlRqGSIW" /XML "C:\Users\user\AppData\Local\Temp\tmpCDD.tmp
                                                                                                          Imagebase:0xa50000
                                                                                                          File size:185856 bytes
                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: conhost.exe PID: 7044 Parent PID: 6936

                                                                                                          General

                                                                                                          Start time:12:13:52
                                                                                                          Start date:14/01/2022
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7ecfc0000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: RegSvcs.exe PID: 7092 Parent PID: 6344

                                                                                                          General

                                                                                                          Start time:12:13:54
                                                                                                          Start date:14/01/2022
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          Imagebase:0xb50000
                                                                                                          File size:45152 bytes
                                                                                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313926174.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.546381837.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.312473724.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.311298694.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.313434658.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.549819127.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >

                                                                                                            Analysis Process: DHL Delivery Invoice AWB 2774038374 .pdf.exe PID: 6344 Parent PID: 484 DHL Delivery Invoice AWB 2774038374 .pdf.exeCOMMON

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:11.2%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:138
                                                                                                            Total number of Limit Nodes:9

                                                                                                            Graph

                                                                                                            execution_graph 19268 1017ed0 19269 1017f1d VirtualProtect 19268->19269 19270 1017f89 19269->19270 19279 4f42bd0 19282 4f42cc8 19279->19282 19280 4f42bdf 19283 4f42cdb 19282->19283 19284 4f42cf3 19283->19284 19290 4f42f98 19283->19290 19294 4f42f88 19283->19294 19284->19280 19285 4f42ceb 19285->19284 19286 4f42f0d GetModuleHandleW 19285->19286 19287 4f42f4c 19286->19287 19287->19280 19291 4f42fac 19290->19291 19292 4f42fd1 19291->19292 19298 4f42040 19291->19298 19292->19285 19295 4f42fac 19294->19295 19296 4f42fd1 19295->19296 19297 4f42040 LoadLibraryExW 19295->19297 19296->19285 19297->19296 19299 4f431b8 LoadLibraryExW 19298->19299 19301 4f43274 19299->19301 19301->19292 19306 4f49c00 SetWindowLongW 19307 4f49ca0 19306->19307 19204 dbd01c 19205 dbd034 19204->19205 19206 dbd08e 19205->19206 19211 4f49b70 19205->19211 19215 4f4a928 19205->19215 19224 4f4746c 19205->19224 19233 4f49b61 19205->19233 19212 4f49b96 19211->19212 19213 4f4746c CallWindowProcW 19212->19213 19214 4f49bb7 19213->19214 19214->19206 19218 4f4a965 19215->19218 19216 4f4a999 19220 4f4a997 19216->19220 19253 4f47594 19216->19253 19218->19216 19219 4f4a989 19218->19219 19237 4f4aac0 19219->19237 19242 4f4ab8c 19219->19242 19248 4f4aabc 19219->19248 19220->19220 19227 4f47477 19224->19227 19225 4f4a999 19226 4f47594 CallWindowProcW 19225->19226 19229 4f4a997 19225->19229 19226->19229 19227->19225 19228 4f4a989 19227->19228 19230 4f4aac0 CallWindowProcW 19228->19230 19231 4f4aabc CallWindowProcW 19228->19231 19232 4f4ab8c CallWindowProcW 19228->19232 19229->19229 19230->19229 19231->19229 19232->19229 19234 4f49b96 19233->19234 19235 4f4746c CallWindowProcW 19234->19235 19236 4f49bb7 19235->19236 19236->19206 19239 4f4aad4 19237->19239 19238 4f4ab60 19238->19220 19257 4f4ab74 19239->19257 19260 4f4ab78 19239->19260 19243 4f4ab4a 19242->19243 19244 4f4ab9a 19242->19244 19246 4f4ab74 CallWindowProcW 19243->19246 19247 4f4ab78 CallWindowProcW 19243->19247 19245 4f4ab60 19245->19220 19246->19245 19247->19245 19250 4f4aad4 19248->19250 19249 4f4ab60 19249->19220 19251 4f4ab74 CallWindowProcW 19250->19251 19252 4f4ab78 CallWindowProcW 19250->19252 19251->19249 19252->19249 19254 4f4759f 19253->19254 19255 4f4c0da CallWindowProcW 19254->19255 19256 4f4c089 19254->19256 19255->19256 19256->19220 19259 4f4ab89 19257->19259 19263 4f4c010 19257->19263 19259->19238 19261 4f4c010 CallWindowProcW 19260->19261 19262 4f4ab89 19260->19262 19261->19262 19262->19238 19264 4f47594 CallWindowProcW 19263->19264 19265 4f4c02a 19264->19265 19265->19259 19271 101c198 19273 101c1bf 19271->19273 19272 101c29c 19273->19272 19275 101bdbc 19273->19275 19276 101d650 CreateActCtxA 19275->19276 19278 101d756 19276->19278 19266 4f45738 DuplicateHandle 19267 4f45815 19266->19267 19302 4f498d8 19303 4f49970 CreateWindowExW 19302->19303 19305 4f49aae 19303->19305 19308 4f40448 19309 4f40469 19308->19309 19312 4f40034 19309->19312 19311 4f404cd 19313 4f4003f 19312->19313 19316 4f40064 19313->19316 19315 4f405a2 19315->19311 19317 4f4006f 19316->19317 19320 4f40094 19317->19320 19319 4f406a2 19319->19315 19322 4f4009f 19320->19322 19321 4f40dfc 19321->19319 19322->19321 19324 4f44e31 19322->19324 19325 4f44e61 19324->19325 19326 4f44e85 19325->19326 19330 4f44fad 19325->19330 19335 4f44ff0 19325->19335 19339 4f44fdf 19325->19339 19326->19321 19331 4f44fc3 19330->19331 19332 4f4500b 19330->19332 19331->19326 19333 4f45037 19332->19333 19343 4f43acc 19332->19343 19333->19326 19336 4f44ffd 19335->19336 19337 4f43acc 2 API calls 19336->19337 19338 4f45037 19336->19338 19337->19338 19338->19326 19340 4f44ffd 19339->19340 19341 4f45037 19340->19341 19342 4f43acc 2 API calls 19340->19342 19341->19326 19342->19341 19344 4f43ad7 19343->19344 19346 4f45da0 19344->19346 19347 4f4533c 19344->19347 19346->19346 19348 4f45347 19347->19348 19349 4f40094 2 API calls 19348->19349 19350 4f45e0f 19349->19350 19354 4f47b78 19350->19354 19358 4f47b90 19350->19358 19351 4f45e48 19351->19346 19356 4f47b90 19354->19356 19355 4f47bcd 19355->19351 19356->19355 19362 4f48090 19356->19362 19359 4f47bc1 19358->19359 19360 4f47bcd 19358->19360 19359->19360 19361 4f48090 2 API calls 19359->19361 19360->19351 19361->19360 19363 4f42cc8 2 API calls 19362->19363 19364 4f48099 19363->19364 19364->19355 19365 4f45108 GetCurrentProcess 19366 4f45182 GetCurrentThread 19365->19366 19367 4f4517b 19365->19367 19368 4f451bf GetCurrentProcess 19366->19368 19369 4f451b8 19366->19369 19367->19366 19372 4f451f5 19368->19372 19369->19368 19370 4f4521d GetCurrentThreadId 19371 4f4524e 19370->19371 19372->19370

                                                                                                            Executed Functions

                                                                                                            Function 01010F85, Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: c pl
                                                                                                            • API String ID: 0-1537316244
                                                                                                            • Opcode ID: 26d0aafa9a0df3541084f367d323a7950cd7b4ab37fec2cf27b889f998853eee
                                                                                                            • Instruction ID: 7b0ecc40ff7bd0fbf74577107804ba31bacb6e7a9699d8a0bb7556a57657dbe6
                                                                                                            • Opcode Fuzzy Hash: 26d0aafa9a0df3541084f367d323a7950cd7b4ab37fec2cf27b889f998853eee
                                                                                                            • Instruction Fuzzy Hash: 7C81C274E00218CFDB48CFE9C994AAEBBB2FF89300F14812AE519AB365D7355946CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01010F98, Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: c pl
                                                                                                            • API String ID: 0-1537316244
                                                                                                            • Opcode ID: 715ae03976d52c78c8888a174ca4c1ec060ffe2a831176ae3f18b6c7a4e2eabf
                                                                                                            • Instruction ID: 88ceb6d5cf9e1490a930397489059fdfea1877f60ea5ac6ebad90fdf98716edc
                                                                                                            • Opcode Fuzzy Hash: 715ae03976d52c78c8888a174ca4c1ec060ffe2a831176ae3f18b6c7a4e2eabf
                                                                                                            • Instruction Fuzzy Hash: 1D81B274E00218CFDB48CFE9C984AEEBBB6EF89300F14812AE519AB365D7755942CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0101B61C, Relevance: .2, Instructions: 162COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e17deca8fd625ca23850c53fe5778342445a6bfaa73ad37d32c6b1d0fdefcd5e
                                                                                                            • Instruction ID: dbf1e597fcc88665f3b2c610234d5bb30ad150be64a5ce9939a43a785947316d
                                                                                                            • Opcode Fuzzy Hash: e17deca8fd625ca23850c53fe5778342445a6bfaa73ad37d32c6b1d0fdefcd5e
                                                                                                            • Instruction Fuzzy Hash: AD515C70E0520ACBDB04CFA9D5915EEBBB2FF89310F249429C405BB218D7389A45CBA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 010117A8, Relevance: .2, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3959ce6a98ce4d7a1720aed79960f49f0a2c695428ecb05cc2230c0c42faf6de
                                                                                                            • Instruction ID: 55ca61e9f0859b76803c86b9a928e4dba50a12c893ac0f1b9c1c68d176986e5f
                                                                                                            • Opcode Fuzzy Hash: 3959ce6a98ce4d7a1720aed79960f49f0a2c695428ecb05cc2230c0c42faf6de
                                                                                                            • Instruction Fuzzy Hash: 02512470E04619CFCB08CFAAD8405AEFBF2FF89300F14C56AD559B7259D7389A018BA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 010121C0, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 69cdcd72c2893fdff7a3a22849f2b3f83a506d7109fce9669bbf0e000aa7a505
                                                                                                            • Instruction ID: 6bd7b2a9f59b5810da9b69bce6b5152312d7c41bd89cf24e49901d50064d6d2a
                                                                                                            • Opcode Fuzzy Hash: 69cdcd72c2893fdff7a3a22849f2b3f83a506d7109fce9669bbf0e000aa7a505
                                                                                                            • Instruction Fuzzy Hash: D921F771E006589BDB19CFAAD9442DEBBB2AFC9310F14C16AD409AA269DB340946CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F450F8, Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 04F45168
                                                                                                            • GetCurrentThread.KERNEL32 ref: 04F451A5
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 04F451E2
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 04F4523B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: b53fbc6bf42b55a747a5d193a230c2b1c3ec7fa9e314fedc4b27b47e840e5746
                                                                                                            • Instruction ID: a3b8139840d0d272d1aad22ed5d28c9bf983eafc3e74b967bb31a26db4b34d3f
                                                                                                            • Opcode Fuzzy Hash: b53fbc6bf42b55a747a5d193a230c2b1c3ec7fa9e314fedc4b27b47e840e5746
                                                                                                            • Instruction Fuzzy Hash: 7F5186B0D006488FEB14DFA9D6487DEBBF1EF88318F248559E519A7390DB34A945CF22
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F45108, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 04F45168
                                                                                                            • GetCurrentThread.KERNEL32 ref: 04F451A5
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 04F451E2
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 04F4523B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 70f3ad3676a6ae0fa0a7b1cb314df1e157118849af5b3a4a136ed830a397130c
                                                                                                            • Instruction ID: 517b690180d24518a4ab1f76b793059291b33627eac030a2d0d9a26d32880587
                                                                                                            • Opcode Fuzzy Hash: 70f3ad3676a6ae0fa0a7b1cb314df1e157118849af5b3a4a136ed830a397130c
                                                                                                            • Instruction Fuzzy Hash: 4F5186B0D002489FEB14DFA9D948BDEBBF4EF88318F248559E409A7350CB34A945CF62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F42CC8, Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 447 4f42cc8-4f42cdd call 4f41fd8 450 4f42cf3-4f42cf7 447->450 451 4f42cdf 447->451 452 4f42cf9-4f42d03 450->452 453 4f42d0b-4f42d4c 450->453 501 4f42ce5 call 4f42f98 451->501 502 4f42ce5 call 4f42f88 451->502 452->453 458 4f42d4e-4f42d56 453->458 459 4f42d59-4f42d67 453->459 454 4f42ceb-4f42ced 454->450 455 4f42e28-4f42ef9 454->455 495 4f42f0d-4f42f4a GetModuleHandleW 455->495 496 4f42efb-4f42f0a 455->496 458->459 460 4f42d69-4f42d6e 459->460 461 4f42d8b-4f42d8d 459->461 463 4f42d70-4f42d77 call 4f41fe4 460->463 464 4f42d79 460->464 465 4f42d90-4f42d97 461->465 468 4f42d7b-4f42d89 463->468 464->468 469 4f42da4-4f42dab 465->469 470 4f42d99-4f42da1 465->470 468->465 472 4f42dad-4f42db5 469->472 473 4f42db8-4f42dc1 call 4f41ff4 469->473 470->469 472->473 477 4f42dc3-4f42dcb 473->477 478 4f42dce-4f42dd3 473->478 477->478 480 4f42dd5-4f42ddc 478->480 481 4f42df1-4f42dfe 478->481 480->481 482 4f42dde-4f42dee call 4f42004 call 4f42014 480->482 488 4f42e00-4f42e1e 481->488 489 4f42e21-4f42e27 481->489 482->481 488->489 497 4f42f53-4f42f81 495->497 498 4f42f4c-4f42f52 495->498 496->495 498->497 501->454 502->454
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(?), ref: 04F42F3A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: da2b8f08d6e8a860186cac02d6049976a6468d07f34f596d318a91e208deb35e
                                                                                                            • Instruction ID: 52705f62147ea80b07dbe3463a9d9e1d05ac73a64da302b15bdbe7a6c1b0a33c
                                                                                                            • Opcode Fuzzy Hash: da2b8f08d6e8a860186cac02d6049976a6468d07f34f596d318a91e208deb35e
                                                                                                            • Instruction Fuzzy Hash: 03911470A00B048FDB24CF69D540A9ABBF1FF88354F00896AE446E7750DB35E946CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F498CC, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 503 4f498cc-4f4996e 504 4f49985-4f49990 503->504 505 4f49970-4f49982 503->505 506 4f499a4-4f49a04 504->506 507 4f49992-4f499a1 504->507 505->504 509 4f49a0c-4f49aac CreateWindowExW 506->509 507->506 510 4f49ab5-4f49b20 509->510 511 4f49aae-4f49ab4 509->511 515 4f49b22-4f49b25 510->515 516 4f49b2d 510->516 511->510 515->516 517 4f49b2e 516->517 517->517
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04F49A99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 537c09ff829a2d0f1e4f36c3b64d75778e1f288cb10df8cc84c0dee90f3a5bc2
                                                                                                            • Instruction ID: f1a63ba585cb5587a5409f1fd0e9cac90ed321816569458a16021037ae7a4cec
                                                                                                            • Opcode Fuzzy Hash: 537c09ff829a2d0f1e4f36c3b64d75778e1f288cb10df8cc84c0dee90f3a5bc2
                                                                                                            • Instruction Fuzzy Hash: 87718EB4D00218DFDF10CFA9C984BDEBBB1BF49304F1491AAE848A7211DB75AA85CF55
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F498D8, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 518 4f498d8-4f4996e 519 4f49985-4f49990 518->519 520 4f49970-4f49982 518->520 521 4f499a4-4f49aac CreateWindowExW 519->521 522 4f49992-4f499a1 519->522 520->519 525 4f49ab5-4f49b20 521->525 526 4f49aae-4f49ab4 521->526 522->521 530 4f49b22-4f49b25 525->530 531 4f49b2d 525->531 526->525 530->531 532 4f49b2e 531->532 532->532
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04F49A99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 2a794e502c42314fd44115d65dfbf5a82ef280bbcc6c1083780f94037ada346f
                                                                                                            • Instruction ID: 98efa344b60852c5fc457ae2be2e99866461bce17d9a3bb010da76026c44b1db
                                                                                                            • Opcode Fuzzy Hash: 2a794e502c42314fd44115d65dfbf5a82ef280bbcc6c1083780f94037ada346f
                                                                                                            • Instruction Fuzzy Hash: 14717EB4D00218DFDF10CFA9C984BDEBBB1BF49314F1491AAE808A7211D771AA85CF55
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0101BDBC, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 533 101bdbc-101d754 CreateActCtxA 538 101d756-101d75c 533->538 539 101d75d-101d7e2 533->539 538->539 548 101d7e4-101d807 539->548 549 101d80f-101d817 539->549 548->549
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 0101D741
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: 698696063c74763f6d04fcba2a0bdcd7c8b351c7e0d40d8040a947e548466b14
                                                                                                            • Instruction ID: cd6455132dfa806eccaa362da038ddaee0ec55f5183af8cf0e9b14264aacccce
                                                                                                            • Opcode Fuzzy Hash: 698696063c74763f6d04fcba2a0bdcd7c8b351c7e0d40d8040a947e548466b14
                                                                                                            • Instruction Fuzzy Hash: 7251D471D0022C8FDB20DFA4C984BCEBBB9BF55304F1084A9D549BB254EB756A89CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F45738, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 553 4f45738-4f45813 DuplicateHandle 554 4f45815-4f4581b 553->554 555 4f4581c-4f4585c 553->555 554->555
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04F45803
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: a6b4fbc334e5bbdfa2331be0df5f7b93fd8f4d2bfd56f4944deb78bce89bcb76
                                                                                                            • Instruction ID: 8d468b3e58e80004b578566aef291beb73111183ee7ac7f79da9c786e2cf1949
                                                                                                            • Opcode Fuzzy Hash: a6b4fbc334e5bbdfa2331be0df5f7b93fd8f4d2bfd56f4944deb78bce89bcb76
                                                                                                            • Instruction Fuzzy Hash: B44176B9D002589FCF00CFA9D984ADEBBF4BF59320F14942AE918BB210D735A945CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F45730, Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 559 4f45730-4f45813 DuplicateHandle 560 4f45815-4f4581b 559->560 561 4f4581c-4f4585c 559->561 560->561
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04F45803
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 45ee69f03065b47348b359bf574fc8cd26ea3fa4a028b84d4b84142a0f8f6a56
                                                                                                            • Instruction ID: 3f7d05a722d10c16ce93af9573a957226c77ad88e3fa37b0e7587443de47bba5
                                                                                                            • Opcode Fuzzy Hash: 45ee69f03065b47348b359bf574fc8cd26ea3fa4a028b84d4b84142a0f8f6a56
                                                                                                            • Instruction Fuzzy Hash: 1A4185B9D002589FCB00CFA9D580ADEBBF1BF19320F14946AE918BB310D775A985CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F47594, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 580 4f47594-4f4c07c 583 4f4c082-4f4c087 580->583 584 4f4c12c-4f4c14c call 4f4746c 580->584 585 4f4c089-4f4c0c0 583->585 586 4f4c0da-4f4c112 CallWindowProcW 583->586 592 4f4c14f-4f4c15c 584->592 593 4f4c0c2-4f4c0c8 585->593 594 4f4c0c9-4f4c0d8 585->594 588 4f4c114-4f4c11a 586->588 589 4f4c11b-4f4c12a 586->589 588->589 589->592 593->594 594->592
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F4C101
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: 6db6bdd439f1b79b0aa2101ea972880ca6170f0100a20bb2424b1aa55c55142b
                                                                                                            • Instruction ID: 1e54ebe61fdcb055e098149406be260212201c20b15bf3eb324fdf4b3f3805a7
                                                                                                            • Opcode Fuzzy Hash: 6db6bdd439f1b79b0aa2101ea972880ca6170f0100a20bb2424b1aa55c55142b
                                                                                                            • Instruction Fuzzy Hash: F64147B4A002458FDB14CF99C888AAABBF5FF88314F158459D519AB321D774E842CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F42040, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 571 4f42040-4f4320c 573 4f43220-4f43272 LoadLibraryExW 571->573 574 4f4320e-4f4321d 571->574 575 4f43274-4f4327a 573->575 576 4f4327b-4f432b9 573->576 574->573 575->576
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(?,?,?), ref: 04F43262
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: f30d83a1fe85722341033f6981a8bf2e1b98f09e52e6733cfef020bb78355eeb
                                                                                                            • Instruction ID: 086f0a51a20ba4660166384a9672e39742e10b11efc7a5bada3266e54a83d5f7
                                                                                                            • Opcode Fuzzy Hash: f30d83a1fe85722341033f6981a8bf2e1b98f09e52e6733cfef020bb78355eeb
                                                                                                            • Instruction Fuzzy Hash: 274185B4E002589FCB10CFA9D884ADEFBF5BB49314F14902AE814BB210D774AA46CF95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01017EC9, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 565 1017ec9-1017f87 VirtualProtect 567 1017f90-1017fcc 565->567 568 1017f89-1017f8f 565->568 568->567
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01017F77
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 08a9ee1b5a4792bcc919352b45fd9d3f0b7bbfbf982ff1f22ea8f0fb0e8d80fd
                                                                                                            • Instruction ID: ed808995df5074f384efa082821cdaf5af2e6614391165914dbe959d67032cea
                                                                                                            • Opcode Fuzzy Hash: 08a9ee1b5a4792bcc919352b45fd9d3f0b7bbfbf982ff1f22ea8f0fb0e8d80fd
                                                                                                            • Instruction Fuzzy Hash: BD31A8B9D052589FCF10CFA9D880AEEFBF0AF19314F14906AE854B7210D774AA45CF64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01017ED0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 597 1017ed0-1017f87 VirtualProtect 599 1017f90-1017fcc 597->599 600 1017f89-1017f8f 597->600 600->599
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01017F77
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 34b14849cfbd2928a979dc63414838da1144d22c8a3cdb0606b2a0599ebb8c8b
                                                                                                            • Instruction ID: da0896a643b2ca09011b46824e19d67a4725b131550184494698fb2f8b9aec50
                                                                                                            • Opcode Fuzzy Hash: 34b14849cfbd2928a979dc63414838da1144d22c8a3cdb0606b2a0599ebb8c8b
                                                                                                            • Instruction Fuzzy Hash: F53197B9D002589FCB14CFA9D984AEEFBF4BF19314F14902AE814B7210D774AA85CF64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F431B2, Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 603 4f431b2-4f4320c 604 4f43220-4f43272 LoadLibraryExW 603->604 605 4f4320e-4f4321d 603->605 606 4f43274-4f4327a 604->606 607 4f4327b-4f432b9 604->607 605->604 606->607
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(?,?,?), ref: 04F43262
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 7af81a38b6a9e7f5e8901b98a1c4c565ede18f3546adeb5f01fe72c1bb3714b9
                                                                                                            • Instruction ID: 318dfc665f236588645831710dcf21c0a7a71f9c8666850f0bbbe19acd6cc666
                                                                                                            • Opcode Fuzzy Hash: 7af81a38b6a9e7f5e8901b98a1c4c565ede18f3546adeb5f01fe72c1bb3714b9
                                                                                                            • Instruction Fuzzy Hash: FF4196B8E002589FCB04CFA9E484ADEFBF1BF49314F14902AE814BB210D734AA46CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F42EA8, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(?), ref: 04F42F3A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 4775a9dd14facdf6f310ec85f47ae3610c43bac5b58ca389876809bb986557d5
                                                                                                            • Instruction ID: 2db5db979f131eddc0a2ab7ebc77d06ef0429fde30c58dbd6fb1e78f56922137
                                                                                                            • Opcode Fuzzy Hash: 4775a9dd14facdf6f310ec85f47ae3610c43bac5b58ca389876809bb986557d5
                                                                                                            • Instruction Fuzzy Hash: 6431AAB4D002489FCB14CFA9D484ADEFBF5AF49324F14806AE818B7310D774A946CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F49BF8, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongW.USER32(?,?,?), ref: 04F49C8E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1378638983-0
                                                                                                            • Opcode ID: a9b628e0a52396383b677ba068c5ca65595d5961dfb5705b8a81d267a5f5faf1
                                                                                                            • Instruction ID: eb256e7a19a6f2608df989d9eb4cd2b8fb9377de815c76f98d66f8a4de7c37be
                                                                                                            • Opcode Fuzzy Hash: a9b628e0a52396383b677ba068c5ca65595d5961dfb5705b8a81d267a5f5faf1
                                                                                                            • Instruction Fuzzy Hash: DB3197B9E012199FCB10CFA9D984ADEFBF4BB49310F14842AE815B7310D775A946CFA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F49C00, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongW.USER32(?,?,?), ref: 04F49C8E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1378638983-0
                                                                                                            • Opcode ID: 78261c94f01d8542b575963c1c53a5cc3368f30efb868982224c3808cfaf5371
                                                                                                            • Instruction ID: 94045264114eb9fb17de4f38e128f5dc763dfe481f819a58179fe08017c5af4e
                                                                                                            • Opcode Fuzzy Hash: 78261c94f01d8542b575963c1c53a5cc3368f30efb868982224c3808cfaf5371
                                                                                                            • Instruction Fuzzy Hash: 7B31A7B9E012189FCB10CFA9D984ADEFBF4BB49310F14842AE814B7310D374A945CFA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DAD4C4, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315740953.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dad000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a4993839835bb651a240f03db57f8bf5a5ba4f2eea4a0854af031673c6d894b9
                                                                                                            • Instruction ID: 93ddf1f3e23a6bcb4c7c083e401724e216d44efe0871cf39283f6126ee8668e6
                                                                                                            • Opcode Fuzzy Hash: a4993839835bb651a240f03db57f8bf5a5ba4f2eea4a0854af031673c6d894b9
                                                                                                            • Instruction Fuzzy Hash: AF213A71904240DFCB05DF50D9C0B26BF66FB9A328F28C969E8460B646C336D855DBB1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DBD01C, Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315763944.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dbd000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c0efbfd707a377e429c0fd4491dcd36070d89c43213b49adb8be7c491e397551
                                                                                                            • Instruction ID: c3459e115f72a754769661b33841e2a145c606b862b3876b1584beaae458aa8e
                                                                                                            • Opcode Fuzzy Hash: c0efbfd707a377e429c0fd4491dcd36070d89c43213b49adb8be7c491e397551
                                                                                                            • Instruction Fuzzy Hash: 10213775504240DFCB14EF50D9C0B56BBA6FB88324F28C9A9D84A0B346D336D847DB71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DBD1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315763944.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dbd000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 04d6f3c9c93868050546cf96da6ff8e1366dfd248075cbea21067d54798f3b42
                                                                                                            • Instruction ID: 1b176b22fcefc8b26b259f65ff5fc49ab7809cb88030eb95bb35419c2c50085c
                                                                                                            • Opcode Fuzzy Hash: 04d6f3c9c93868050546cf96da6ff8e1366dfd248075cbea21067d54798f3b42
                                                                                                            • Instruction Fuzzy Hash: DC210775504280EFDB05CF50D9C0B66BBA6FB84318F24C9ADD84A4B245D336D846DB71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DBD005, Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315763944.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dbd000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e76bd519b597b271e913543375fa10763063d566de500b853ca6922e959e5ca1
                                                                                                            • Instruction ID: 137f3f192d2ccffc8ee10df29f53d063648cce46381f1e1b35f297fd8d66594d
                                                                                                            • Opcode Fuzzy Hash: e76bd519b597b271e913543375fa10763063d566de500b853ca6922e959e5ca1
                                                                                                            • Instruction Fuzzy Hash: 532180755093C0CFCB02CF20D990755BF71EB46314F28C5EAD8498B697C33A980ACB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DAD4BF, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315740953.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dad000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 42e51dbedfba481cd5c91b0aaf319ba9b84bc14884d9ed747bd0ea32b821295d
                                                                                                            • Instruction ID: 78d22862c4bc5eadecf3273340d8a41462104852a68cbcc8e5976d7cd34e5511
                                                                                                            • Opcode Fuzzy Hash: 42e51dbedfba481cd5c91b0aaf319ba9b84bc14884d9ed747bd0ea32b821295d
                                                                                                            • Instruction Fuzzy Hash: F1110876804280CFCF16CF10D9C4B16BF72FB99324F28C6A9D8450BA56C336D856DBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DBD1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315763944.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dbd000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eb700c5beaafff4adc2fe5463f907076a12d384ceaaf40f2ccbf1e501f4d82ce
                                                                                                            • Instruction ID: f83c8b9cdaf03d3d1e45f989bad4c1b197fa2ea245dfb012900541a0abf09b90
                                                                                                            • Opcode Fuzzy Hash: eb700c5beaafff4adc2fe5463f907076a12d384ceaaf40f2ccbf1e501f4d82ce
                                                                                                            • Instruction Fuzzy Hash: DF11BB75904280DFCB02CF10C5C0B55BFA2FB84324F28C6A9D84A4B656C33AD84ACB61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DAD745, Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315740953.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dad000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3746da09a0637d17b755bdc5b92f80a30d390c797508ed0c0c73801a0a0a55d5
                                                                                                            • Instruction ID: d5430f043f4c48a1f2648b0a21f6d36da6881f12a6c4ee3a7d1317059f66983a
                                                                                                            • Opcode Fuzzy Hash: 3746da09a0637d17b755bdc5b92f80a30d390c797508ed0c0c73801a0a0a55d5
                                                                                                            • Instruction Fuzzy Hash: 6101F731504344AAE7148F55CD84B66BBDCEF52334F1C891AED070EA46D778D840DAB1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00DAD744, Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.315740953.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_dad000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 07be156595d7d4b460799152970d6af35d03e44539f72932b5d2551a98f30c7b
                                                                                                            • Instruction ID: a8e1e465ff2f2423f8ed135b6abfdc6b256785986f55bcd8b8ff4c16541c59b2
                                                                                                            • Opcode Fuzzy Hash: 07be156595d7d4b460799152970d6af35d03e44539f72932b5d2551a98f30c7b
                                                                                                            • Instruction Fuzzy Hash: 17F062714043449AE7148F55CCC4B62FB98EF92734F18C45AED0A5F686C7799C44CAB1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 01010470, Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: i`}V$wCS:$wCS:$wCS:
                                                                                                            • API String ID: 0-1290208322
                                                                                                            • Opcode ID: 00d2e8f15f75ff2cb2a1943124e0fdc05f80109a5807737140fe392e882298a2
                                                                                                            • Instruction ID: 6b7eee47b2e2f16eb2f9006b24b807e7ab20499f64f585d3a5a9950d367b3100
                                                                                                            • Opcode Fuzzy Hash: 00d2e8f15f75ff2cb2a1943124e0fdc05f80109a5807737140fe392e882298a2
                                                                                                            • Instruction Fuzzy Hash: 9151E570E05218CFDB54CFAAC944A8EFBF2BF89210F05C5E9E489AB219D7349981CF55
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01015628, Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 9Il#
                                                                                                            • API String ID: 0-3087240097
                                                                                                            • Opcode ID: 6ec0fc308f1fcd5fdca0bbdf94200c5b084ecf2df4ca3073fe3e85d3f75b0b61
                                                                                                            • Instruction ID: ff036e20680a70ffd70d0c9ac44d80e8aad8e6025e63888df406ba0906c68d30
                                                                                                            • Opcode Fuzzy Hash: 6ec0fc308f1fcd5fdca0bbdf94200c5b084ecf2df4ca3073fe3e85d3f75b0b61
                                                                                                            • Instruction Fuzzy Hash: 96510970E0520ACBCB04CFAAD9415AEFBB2FF89304F24D469C455BB218D7389A418F94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01015620, Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 9Il#
                                                                                                            • API String ID: 0-3087240097
                                                                                                            • Opcode ID: 2e8a51ff2e10d4b662a3f665e5137cc61974a45fca3b11063b1150e0a68bbfdc
                                                                                                            • Instruction ID: d643485a7a42ce94cd67c31ca7c7ff2689d5b93c63f94375c2a50a067061df96
                                                                                                            • Opcode Fuzzy Hash: 2e8a51ff2e10d4b662a3f665e5137cc61974a45fca3b11063b1150e0a68bbfdc
                                                                                                            • Instruction Fuzzy Hash: 4F511770E0524ADBCB04CFA9D9815AEFBF2FF89314F24D46AC455BB218D7389A418F94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01015220, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 3G
                                                                                                            • API String ID: 0-23235086
                                                                                                            • Opcode ID: 29e55ce8dd9d6113a4c652e0f557bcb09ac8d707af1330dc54b7561570990536
                                                                                                            • Instruction ID: 7e0215b88a3e7ff2e4d00bc57312dba8ea5c9e4b982fa70dcbf0298471168240
                                                                                                            • Opcode Fuzzy Hash: 29e55ce8dd9d6113a4c652e0f557bcb09ac8d707af1330dc54b7561570990536
                                                                                                            • Instruction Fuzzy Hash: 0E411971D0520ACFCB44CFAAC9815EEFBF2BF9A310F14C56AD415AB258D7389A418F94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01015230, Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 3G
                                                                                                            • API String ID: 0-23235086
                                                                                                            • Opcode ID: f8bd9cedc03613098b5ceec009b8d5910ea3d89da177282d337c7e7ec208662e
                                                                                                            • Instruction ID: 0dfbfdaeebd96bfb349da3e46f5e0a2a3de17f58428d2c9c435517e7023fb8a1
                                                                                                            • Opcode Fuzzy Hash: f8bd9cedc03613098b5ceec009b8d5910ea3d89da177282d337c7e7ec208662e
                                                                                                            • Instruction Fuzzy Hash: 8841E971D0420ADFCB44CFAAC9815EEFBF2BB99300F24D569D415BB258D7389A418F94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F480D8, Relevance: .3, Instructions: 315COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3950bfb468100694b0324d14e93e9d52218d3ab0ba0e86ee883c6e6dd6c345b2
                                                                                                            • Instruction ID: 7a74fdca0bb15317bbb3fe4b41264f79f2690d8ca2f55b4e58380aec66cce475
                                                                                                            • Opcode Fuzzy Hash: 3950bfb468100694b0324d14e93e9d52218d3ab0ba0e86ee883c6e6dd6c345b2
                                                                                                            • Instruction Fuzzy Hash: 3E12A6F14157468BE332CF66EDA81893B61B745328F90420AD2E51FAE9D7BE114ACF4C
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F4560C, Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bbe06797c93f1e5ad35b628c6c6bae7d183fabe5e33cd937877fbe3ab900df46
                                                                                                            • Instruction ID: fbd9cdbcea57cb7b0b5c192a83cf8dba2b9e3a4b648a7ef4b044df322ed65c39
                                                                                                            • Opcode Fuzzy Hash: bbe06797c93f1e5ad35b628c6c6bae7d183fabe5e33cd937877fbe3ab900df46
                                                                                                            • Instruction Fuzzy Hash: 60A15B32E006198FDF15EFA5C84499EBBF2FFC5304B15856AE905AB220EF35A946CF40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F480CA, Relevance: .2, Instructions: 223COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6452adbf38d4515cb665b3fcf91ca810a18e1973d0e06ce5f8dce691821b99f8
                                                                                                            • Instruction ID: 5bf1c390ce2c478ac52d4e9c77387651429b56767274dd9747a60a0045992d5c
                                                                                                            • Opcode Fuzzy Hash: 6452adbf38d4515cb665b3fcf91ca810a18e1973d0e06ce5f8dce691821b99f8
                                                                                                            • Instruction Fuzzy Hash: 09C12EB18117468BE722CF66ECA81897B71FB85328F54430AD1E16F6D8D7BE114ACF48
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01014B20, Relevance: .2, Instructions: 166COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6d0a126d74dfbf6ccf9d8983a6cbdd04d196dd16484078320fd93b9500d34001
                                                                                                            • Instruction ID: f0077c2b7cc7ab842df0cc52319b6005f3e7eb40a1c6ecde0fe69914a50b4946
                                                                                                            • Opcode Fuzzy Hash: 6d0a126d74dfbf6ccf9d8983a6cbdd04d196dd16484078320fd93b9500d34001
                                                                                                            • Instruction Fuzzy Hash: 0671E2B4D0420ADFCB44CF99D4819AEFBB2FF88310F158519D455BB329D738A9428F95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01014B10, Relevance: .2, Instructions: 163COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 14700070fc5a4ba6fc3516bc0a955af27f378f9f03423cb5e66bb2d8a872c2ae
                                                                                                            • Instruction ID: 70f033e71076fada2f53a3ec9b914a00f2df8d1cd43175aae90b0a7b5611eba0
                                                                                                            • Opcode Fuzzy Hash: 14700070fc5a4ba6fc3516bc0a955af27f378f9f03423cb5e66bb2d8a872c2ae
                                                                                                            • Instruction Fuzzy Hash: 426105B0E0520ADFCB44CFA9C4819AEFBB2BF88310F15855AD455E7269D338A942CF95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 010153E8, Relevance: .2, Instructions: 155COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 898e6c048803cd6bb4dfe586a53b99503bb9ee39f646001f2763c9a5f3f34165
                                                                                                            • Instruction ID: 0e4beb49214d118f5ffdcbbbddadb0a50443723bb6324029b794575d30127db1
                                                                                                            • Opcode Fuzzy Hash: 898e6c048803cd6bb4dfe586a53b99503bb9ee39f646001f2763c9a5f3f34165
                                                                                                            • Instruction Fuzzy Hash: 2661F374E156098FCB04CFA9C9805DEFBF2FF89214F24942AD459BB328E7349A418F64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 010153E3, Relevance: .2, Instructions: 152COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 33bd1b8b3e32de28873096a79f9892823c68ea9e3346192eacefa5623766e555
                                                                                                            • Instruction ID: cf77d8341bd9c6703c19924132764298ae2a130551fac01629a0553e9da47e73
                                                                                                            • Opcode Fuzzy Hash: 33bd1b8b3e32de28873096a79f9892823c68ea9e3346192eacefa5623766e555
                                                                                                            • Instruction Fuzzy Hash: E251E474E156098FCB08CFA9C9809DEFBF2FF89214F14942AD459FB318E7349A418B65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01015831, Relevance: .1, Instructions: 114COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.316278852.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1010000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fd033739761e2aa5c379d9608cd64a8dba7d24cf09f62d6094ccf3a19ad74466
                                                                                                            • Instruction ID: d7aa420e312479362afa557b8e87f2498540db5a06e66df23b2029026ff4a950
                                                                                                            • Opcode Fuzzy Hash: fd033739761e2aa5c379d9608cd64a8dba7d24cf09f62d6094ccf3a19ad74466
                                                                                                            • Instruction Fuzzy Hash: CF414C71E056188BDB68CF6B8D44299FBF7AFC9300F14C1BA854CA6225EB341A868F51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F4A7A8, Relevance: .1, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 08981efdcfeb20c5f0f82b8b9331b2a43b711baf790db2c4790d9a4365f41d79
                                                                                                            • Instruction ID: 153637a0e4302f54f0ee72b69c6d4c586ebb6bf9b83124baaca2ebdfe6e89e79
                                                                                                            • Opcode Fuzzy Hash: 08981efdcfeb20c5f0f82b8b9331b2a43b711baf790db2c4790d9a4365f41d79
                                                                                                            • Instruction Fuzzy Hash: 8331A9B9D012089FCB14CFA9D984ADEFBF1AB49310F14902AE819B7310D774A946CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 04F474DC, Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.318837112.0000000004F40000.00000040.00000001.sdmp, Offset: 04F40000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_4f40000_DHL Delivery Invoice AWB 2774038374 .jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a06e03ca8547f3696bf8a46b11bbdc6f4da5afb6b1a65aa8331e4af207a9aac8
                                                                                                            • Instruction ID: 8245274a093ac585908b3aaa0d0b43c4b93e576bd7451500caa76d7fdc8d8730
                                                                                                            • Opcode Fuzzy Hash: a06e03ca8547f3696bf8a46b11bbdc6f4da5afb6b1a65aa8331e4af207a9aac8
                                                                                                            • Instruction Fuzzy Hash: 9F31AAB5D01218AFDB14CFA9D984ADEFBF5EB49314F14902AE804B7310D774A946CF94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: RegSvcs.exe PID: 7092 Parent PID: 6344 RegSvcs.exeCOMMON

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:16.5%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:2.9%
                                                                                                            Total number of Nodes:204
                                                                                                            Total number of Limit Nodes:16

                                                                                                            Graph

                                                                                                            execution_graph 47591 13b0d0b 47592 13b0d1c 47591->47592 47593 13b1047 KiUserExceptionDispatcher 47592->47593 47594 13b1066 47593->47594 47595 13b11a0 KiUserExceptionDispatcher 47594->47595 47596 13b11bf 47595->47596 47597 13b15c0 KiUserExceptionDispatcher 47596->47597 47603 13b15dc 47597->47603 47598 13b1863 LdrInitializeThunk 47600 13b18d5 47598->47600 47599 13b1f1d 47600->47599 47601 121f770 4 API calls 47600->47601 47602 121f780 4 API calls 47600->47602 47601->47599 47602->47599 47603->47598 47604 12108b0 47607 12108d5 47604->47607 47605 1210a4f 47606 1211034 LdrInitializeThunk 47606->47607 47607->47605 47607->47606 47608 13b1509 47609 13b151a 47608->47609 47610 13b15c0 KiUserExceptionDispatcher 47609->47610 47614 13b15dc 47610->47614 47611 13b1863 LdrInitializeThunk 47613 13b18d5 47611->47613 47612 13b1f1d 47613->47612 47615 121f770 4 API calls 47613->47615 47616 121f780 4 API calls 47613->47616 47614->47611 47615->47612 47616->47612 47373 13b0a70 47374 13b0a76 47373->47374 47389 f79536 47374->47389 47396 f79588 47374->47396 47375 13b0bc6 47376 13b1047 KiUserExceptionDispatcher 47375->47376 47377 13b1066 47376->47377 47378 13b11a0 KiUserExceptionDispatcher 47377->47378 47379 13b11bf 47378->47379 47380 13b15c0 KiUserExceptionDispatcher 47379->47380 47386 13b15dc 47380->47386 47381 13b1863 LdrInitializeThunk 47383 13b18d5 47381->47383 47382 13b1f1d 47383->47382 47402 121f770 47383->47402 47410 121f780 47383->47410 47386->47381 47390 f79549 47389->47390 47392 f7956c 47389->47392 47390->47375 47391 f79811 47391->47375 47392->47391 47395 f79b58 RegQueryValueExW 47392->47395 47418 f798a0 47392->47418 47422 f7989a 47392->47422 47395->47392 47398 f795a7 47396->47398 47397 f79811 47397->47375 47398->47397 47399 f79b58 RegQueryValueExW 47398->47399 47400 f798a0 RegOpenKeyExW 47398->47400 47401 f7989a RegOpenKeyExW 47398->47401 47399->47398 47400->47398 47401->47398 47403 121f773 47402->47403 47404 121fa74 47403->47404 47405 13606b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 47403->47405 47406 13606a1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 47403->47406 47407 1360718 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 47403->47407 47426 136087c 47403->47426 47430 121fa92 47403->47430 47404->47382 47405->47403 47406->47403 47407->47403 47411 121f795 47410->47411 47412 121fa74 47411->47412 47413 13606b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 47411->47413 47414 13606a1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 47411->47414 47415 1360718 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 47411->47415 47416 136087c 4 API calls 47411->47416 47417 121fa92 4 API calls 47411->47417 47412->47382 47413->47411 47414->47411 47415->47411 47416->47411 47417->47411 47419 f798f2 RegOpenKeyExW 47418->47419 47421 f79966 47419->47421 47421->47421 47423 f798f2 RegOpenKeyExW 47422->47423 47425 f79966 47423->47425 47427 136087d 47426->47427 47428 13608bf 47427->47428 47436 1360b2a 47427->47436 47428->47403 47432 121fa93 47430->47432 47431 121faae 47431->47403 47432->47431 47470 121fcc0 47432->47470 47478 121fcd0 47432->47478 47433 121fc2f 47433->47403 47440 1360b5a 47436->47440 47451 1360b68 47436->47451 47437 1360b3e 47437->47428 47441 1360b75 47440->47441 47442 1360b9d 47440->47442 47441->47437 47448 1360b5a 3 API calls 47442->47448 47450 1360b68 3 API calls 47442->47450 47462 1360c02 47442->47462 47467 1360c3a 47442->47467 47443 1360bbe 47443->47437 47444 1360bba 47444->47443 47445 1360c86 GlobalMemoryStatusEx 47444->47445 47446 1360cb6 47445->47446 47446->47437 47448->47444 47450->47444 47452 1360b75 47451->47452 47453 1360b9d 47451->47453 47452->47437 47458 1360c02 GlobalMemoryStatusEx 47453->47458 47459 1360b5a 3 API calls 47453->47459 47460 1360c3a GlobalMemoryStatusEx 47453->47460 47461 1360b68 3 API calls 47453->47461 47454 1360bbe 47454->47437 47455 1360bba 47455->47454 47456 1360c86 GlobalMemoryStatusEx 47455->47456 47457 1360cb6 47456->47457 47457->47437 47458->47455 47459->47455 47460->47455 47461->47455 47464 1360c15 47462->47464 47463 1360c23 47463->47444 47464->47463 47465 1360c86 GlobalMemoryStatusEx 47464->47465 47466 1360cb6 47465->47466 47466->47444 47468 1360c86 GlobalMemoryStatusEx 47467->47468 47469 1360cb6 47468->47469 47469->47444 47471 121fce4 47470->47471 47473 121fd22 47470->47473 47476 121fcc0 4 API calls 47471->47476 47477 121fcd0 4 API calls 47471->47477 47472 121fcfa 47486 13606b0 47472->47486 47491 13606a1 47472->47491 47473->47433 47476->47472 47477->47472 47479 121fce4 47478->47479 47481 121fd22 47478->47481 47484 121fcc0 4 API calls 47479->47484 47485 121fcd0 4 API calls 47479->47485 47480 121fcfa 47482 13606b0 4 API calls 47480->47482 47483 13606a1 4 API calls 47480->47483 47481->47433 47482->47481 47483->47481 47484->47480 47485->47480 47487 13606bb 47486->47487 47489 13606e3 47486->47489 47487->47473 47488 1360736 47488->47473 47489->47488 47490 1360b2a 4 API calls 47489->47490 47490->47488 47492 13606bb 47491->47492 47494 13606e3 47491->47494 47492->47473 47493 1360736 47493->47473 47494->47493 47495 1360b2a 4 API calls 47494->47495 47495->47493 47496 1361f98 47497 1361fb3 47496->47497 47499 1361ff8 47497->47499 47500 1360d50 47497->47500 47502 1362128 SetWindowsHookExW 47500->47502 47503 13621b2 47502->47503 47503->47497 47504 13653d8 47505 13653e7 47504->47505 47508 1364b64 47505->47508 47509 1364b6f 47508->47509 47512 1364c0c 47509->47512 47511 13654de 47511->47511 47513 1364c17 47512->47513 47514 1365be5 47513->47514 47517 1367300 47513->47517 47522 13672ef 47513->47522 47514->47511 47518 1367321 47517->47518 47519 1367345 47518->47519 47527 13674b0 47518->47527 47531 13674a0 47518->47531 47519->47514 47523 1367321 47522->47523 47524 1367345 47523->47524 47525 13674b0 LoadLibraryExW 47523->47525 47526 13674a0 LoadLibraryExW 47523->47526 47524->47514 47525->47524 47526->47524 47528 13674bd 47527->47528 47529 13674f6 47528->47529 47535 13666c8 47528->47535 47529->47519 47532 13674bd 47531->47532 47533 13674f6 47532->47533 47534 13666c8 LoadLibraryExW 47532->47534 47533->47519 47534->47533 47536 13666d3 47535->47536 47538 1367568 47536->47538 47539 13666fc 47536->47539 47538->47538 47540 1366707 47539->47540 47546 136670c 47540->47546 47542 13675d7 47550 136b768 47542->47550 47556 136b750 47542->47556 47543 1367610 47543->47538 47547 1366717 47546->47547 47548 1367d0c 47547->47548 47549 1367300 LoadLibraryExW 47547->47549 47548->47542 47549->47548 47552 136b7e5 47550->47552 47553 136b799 47550->47553 47551 136b7a5 47551->47543 47552->47543 47553->47551 47561 136b9d0 47553->47561 47564 136b9c0 47553->47564 47558 136b75a 47556->47558 47557 136b7a5 47557->47543 47558->47557 47559 136b9d0 LoadLibraryExW 47558->47559 47560 136b9c0 LoadLibraryExW 47558->47560 47559->47557 47560->47557 47567 136ba01 47561->47567 47562 136b9da 47562->47552 47565 136b9da 47564->47565 47566 136ba01 LoadLibraryExW 47564->47566 47565->47552 47566->47565 47568 136ba23 47567->47568 47570 136ba3b 47568->47570 47573 136ba01 LoadLibraryExW 47568->47573 47574 136bbf0 47568->47574 47569 136ba33 47569->47570 47578 136a9e8 47569->47578 47570->47562 47573->47569 47576 136bc04 47574->47576 47575 136bc29 47575->47569 47576->47575 47577 136a9e8 LoadLibraryExW 47576->47577 47577->47575 47579 136bc50 LoadLibraryExW 47578->47579 47581 136bcc9 47579->47581 47581->47570 47582 1361cb8 47584 1361cd3 47582->47584 47583 1361ceb 47584->47583 47585 121f770 4 API calls 47584->47585 47586 121f780 4 API calls 47584->47586 47585->47583 47586->47583 47587 f7efb8 47588 f7efd7 LdrInitializeThunk 47587->47588 47590 f7f00b 47588->47590

                                                                                                            Executed Functions

                                                                                                            Function 012108B0, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 6278 12108b0-12109b6 6295 12109b8-12109f9 6278->6295 6296 1210a0d-1210a17 6278->6296 6295->6296 6301 12109fb-1210a0b 6295->6301 6299 1210a1d-1210a38 6296->6299 6477 1210a3a call 1211880 6299->6477 6478 1210a3a call 1211888 6299->6478 6301->6299 6304 1210a3f-1210a4d 6306 1210a5d-1210e0a 6304->6306 6307 1210a4f-1210a58 6304->6307 6346 1210e10-1210e1d 6306->6346 6347 12113f5-1211418 6306->6347 6308 1211428-1211435 6307->6308 6348 1210e23-1210e8e 6346->6348 6349 121141d-1211427 6346->6349 6347->6349 6348->6347 6360 1210e94-1210ec9 6348->6360 6349->6308 6363 1210ef2-1210efa 6360->6363 6364 1210ecb-1210ef0 6360->6364 6367 1210efd-1210f46 6363->6367 6364->6367 6372 12113dc-12113e2 6367->6372 6373 1210f4c-1210f6b 6367->6373 6372->6347 6374 12113e4-12113ed 6372->6374 6479 1210f70 call 1212000 6373->6479 6480 1210f70 call 1211ff9 6373->6480 6374->6348 6375 12113f3 6374->6375 6375->6349 6377 1210f75-1210fa4 6377->6372 6380 1210faa-1210fb4 6377->6380 6380->6372 6381 1210fba-1210fcd 6380->6381 6381->6372 6382 1210fd3-1210ffa 6381->6382 6386 1211000-1211003 6382->6386 6387 121139d-12113c0 6382->6387 6386->6387 6388 1211009-1211043 LdrInitializeThunk 6386->6388 6395 12113c5-12113cb 6387->6395 6398 1211049-1211098 6388->6398 6395->6347 6397 12113cd-12113d6 6395->6397 6397->6372 6397->6382 6406 12111dd-12111e3 6398->6406 6407 121109e-12110d7 6398->6407 6408 12111f1 6406->6408 6409 12111e5-12111e7 6406->6409 6411 12111f9-12111ff 6407->6411 6423 12110dd-1211113 6407->6423 6408->6411 6409->6408 6412 1211201-1211203 6411->6412 6413 121120d-1211210 6411->6413 6412->6413 6415 121121b-1211221 6413->6415 6417 1211223-1211225 6415->6417 6418 121122f-1211232 6415->6418 6417->6418 6420 1211181-12111b1 6418->6420 6425 12111b3-12111d2 6420->6425 6429 1211237-1211265 6423->6429 6430 1211119-121113c 6423->6430 6432 12111d8 6425->6432 6433 121126a-12112bc 6425->6433 6429->6425 6430->6429 6439 1211142-1211175 6430->6439 6432->6395 6452 12112c6-12112cc 6433->6452 6453 12112be-12112c4 6433->6453 6439->6415 6451 121117b 6439->6451 6451->6420 6455 12112da 6452->6455 6456 12112ce-12112d0 6452->6456 6454 12112dd-12112fb 6453->6454 6460 12112fd-121130d 6454->6460 6461 121131f-121139b 6454->6461 6455->6454 6456->6455 6460->6461 6464 121130f-1211318 6460->6464 6461->6395 6464->6461 6477->6304 6478->6304 6479->6377 6480->6377
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548457731.0000000001210000.00000040.00000010.sdmp, Offset: 01210000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1210000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2994545307-0
                                                                                                            • Opcode ID: c6897dbdc722d744b75735cf367b65c532a8a53b5f3f22fb5a9ff69615fccc30
                                                                                                            • Instruction ID: 4ffe3929998bc7d08906e16d604f5ecd6f8ea26c3288149eb3b515d28b8cfcf9
                                                                                                            • Opcode Fuzzy Hash: c6897dbdc722d744b75735cf367b65c532a8a53b5f3f22fb5a9ff69615fccc30
                                                                                                            • Instruction Fuzzy Hash: F3622735E006198FCB24EFB8C95469DB7F5BF99300F1085AAD54AAB254EF709E81CF81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F7EFB8, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 7860 f7efb8-f7f004 LdrInitializeThunk 7864 f7f00b-f7f017 7860->7864 7865 f7f217-f7f22a 7864->7865 7866 f7f01d-f7f026 7864->7866 7869 f7f251-f7f255 7865->7869 7867 f7f24c 7866->7867 7868 f7f02c-f7f041 7866->7868 7867->7869 7874 f7f043-f7f056 7868->7874 7875 f7f05b-f7f076 7868->7875 7870 f7f257 7869->7870 7871 f7f260 7869->7871 7870->7871 7873 f7f261 7871->7873 7873->7873 7876 f7f1eb-f7f1ef 7874->7876 7882 f7f084 7875->7882 7883 f7f078-f7f082 7875->7883 7877 f7f1f1 7876->7877 7878 f7f1fa 7876->7878 7877->7878 7878->7865 7884 f7f089-f7f08b 7882->7884 7883->7884 7885 f7f0a5-f7f13d call f7c900 call f71528 * 2 7884->7885 7886 f7f08d-f7f0a0 7884->7886 7907 f7f13f-f7f149 7885->7907 7908 f7f14b 7885->7908 7886->7876 7909 f7f150-f7f152 7907->7909 7908->7909 7910 f7f195-f7f1e9 7909->7910 7911 f7f154-f7f156 7909->7911 7910->7876 7912 f7f164 7911->7912 7913 f7f158-f7f162 7911->7913 7915 f7f169-f7f16b 7912->7915 7913->7915 7915->7910 7916 f7f16d-f7f193 7915->7916 7916->7910
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.546976953.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_f70000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2994545307-0
                                                                                                            • Opcode ID: 155ccee76945ccd99346007cc82597de7ab071da5db3fd8f21803aab1aa1797c
                                                                                                            • Instruction ID: 99239d48e5c5837f864589d22d8a8cd1e957c073c22c50e3acd408a0bb155eaf
                                                                                                            • Opcode Fuzzy Hash: 155ccee76945ccd99346007cc82597de7ab071da5db3fd8f21803aab1aa1797c
                                                                                                            • Instruction Fuzzy Hash: 45615B34A00209DBDB24EFB4D854BAE77F6AF84315F10C839E406A7394DB799C49DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01360D50, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 013621A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548894023.0000000001360000.00000040.00000010.sdmp, Offset: 01360000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1360000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HookWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 2559412058-0
                                                                                                            • Opcode ID: ce24746eee151b14466c2408a8ad028b9018eba32b3c42c8f9d2071db155fb3b
                                                                                                            • Instruction ID: 7ce7146f3f0a633204c7a8886242db85f4238a3598e11f1a1f0bc55ccdfb013b
                                                                                                            • Opcode Fuzzy Hash: ce24746eee151b14466c2408a8ad028b9018eba32b3c42c8f9d2071db155fb3b
                                                                                                            • Instruction Fuzzy Hash: 70213475D042089FDB14CF99C844BEEBBF9EB88314F14842AE519A7250DBB4A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B0A70, Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 984libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B1047
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID: xti
                                                                                                            • API String ID: 2638914809-194848896
                                                                                                            • Opcode ID: 5fd90ce45066efb82bd7f3e1f51a3d263b181c41a0f45803c9db742be1b8f20f
                                                                                                            • Instruction ID: 8b4b6dcd1521fb0fd6832a7f0b8037ce4c0a25a16ca7943af82b14c3871ac66e
                                                                                                            • Opcode Fuzzy Hash: 5fd90ce45066efb82bd7f3e1f51a3d263b181c41a0f45803c9db742be1b8f20f
                                                                                                            • Instruction Fuzzy Hash: BAA22974A00228CFCB64EF64D89869DB7B6BF88305F5094E9E60AA3744DF749E81CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B0C3C, Relevance: 6.6, APIs: 4, Instructions: 591libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B1047
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638914809-0
                                                                                                            • Opcode ID: d022fea7c04000cbd684d2b0390d10e66dfc4a1edb894ff57d4f0b2cbf7434b0
                                                                                                            • Instruction ID: 915b1928d25e61b399e511d3347f43d4c2e97264a36185afd0cc9690e763a0c3
                                                                                                            • Opcode Fuzzy Hash: d022fea7c04000cbd684d2b0390d10e66dfc4a1edb894ff57d4f0b2cbf7434b0
                                                                                                            • Instruction Fuzzy Hash: 1E523974A00328CFCB64EF64D89869DB7B6BF48205F5094E9E60AA3744DF749E82CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B0D0B, Relevance: 6.6, APIs: 4, Instructions: 570libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B1047
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638914809-0
                                                                                                            • Opcode ID: 08943bb4604e9434b1c21ef216d7296618cf12daf960e0bf8cf83cd11f425186
                                                                                                            • Instruction ID: ef13a8a07542f663c4d07b2620e7567f7141086a2351b5b6bf842a1e96c7f283
                                                                                                            • Opcode Fuzzy Hash: 08943bb4604e9434b1c21ef216d7296618cf12daf960e0bf8cf83cd11f425186
                                                                                                            • Instruction Fuzzy Hash: C9423974A00328CFCB64EF64D89869DB7B6BF48205F5094E9E60AA3744DF749E82CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B0D50, Relevance: 6.6, APIs: 4, Instructions: 563libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B1047
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638914809-0
                                                                                                            • Opcode ID: e4f41b0b299f103aceb9a5f79a017145eddb1559367fad7faeb40796e42b94a6
                                                                                                            • Instruction ID: f824035bec67f1977170f92fde82d657a16dba8414e1e4369893e4e9ba47f863
                                                                                                            • Opcode Fuzzy Hash: e4f41b0b299f103aceb9a5f79a017145eddb1559367fad7faeb40796e42b94a6
                                                                                                            • Instruction Fuzzy Hash: E6422974A00328CFCB64EF64D89869DB7B6BF48205F5094E9E60AA3744DF749E82CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B0D95, Relevance: 6.6, APIs: 4, Instructions: 554libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B1047
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638914809-0
                                                                                                            • Opcode ID: 7a986c65bab4f233f148bdd3df7bbc4bdfa462b509f78c762cc53c90d52972dc
                                                                                                            • Instruction ID: 6e3170f2d1013392aff0609bac1aa6111c571062b64bdf4c438f4f60219cb12a
                                                                                                            • Opcode Fuzzy Hash: 7a986c65bab4f233f148bdd3df7bbc4bdfa462b509f78c762cc53c90d52972dc
                                                                                                            • Instruction Fuzzy Hash: CC422974A00328CFCB64EF64D89869DB7B6BF48205F5094E9E60AA3744DF749E82CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B0DD1, Relevance: 6.5, APIs: 4, Instructions: 549libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B1047
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638914809-0
                                                                                                            • Opcode ID: 1f59fa2cfad84da128f561c52e9fcc21a3ecee256563910d925c8c8e6f014bb6
                                                                                                            • Instruction ID: b9fcd026e1fee15042b8e876244a5e2516fb057a9f52a05e5d23670114e2246e
                                                                                                            • Opcode Fuzzy Hash: 1f59fa2cfad84da128f561c52e9fcc21a3ecee256563910d925c8c8e6f014bb6
                                                                                                            • Instruction Fuzzy Hash: 82422974A00328CFCB64EF64D89869DB7B6BF48205F5094E9E60AA3744DF748E82CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B1137, Relevance: 5.0, APIs: 3, Instructions: 458libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638914809-0
                                                                                                            • Opcode ID: 472c6ef81b07bb2daf3ecbd79201d6fe1ba8733bac3863173a09ecb60690ba88
                                                                                                            • Instruction ID: 10afd9c6eb6cde55e98df9221be761ec26b0653e1580cc34674e78a9fb1860a6
                                                                                                            • Opcode Fuzzy Hash: 472c6ef81b07bb2daf3ecbd79201d6fe1ba8733bac3863173a09ecb60690ba88
                                                                                                            • Instruction Fuzzy Hash: 02222B74A00229CFCB64EF74D89869DB7B6BF88205F5084E9D60AA3744DF748E82CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B117C, Relevance: 5.0, APIs: 3, Instructions: 451libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B11A0
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638914809-0
                                                                                                            • Opcode ID: d9c3cb20539db42e6b7efb4e8fc9611088d834d011569b2c20f48e4ae902f5aa
                                                                                                            • Instruction ID: df9a4245b92e304b0ab5dc690f7703d74fa205cd78cf64e6461a4e5dd1c54012
                                                                                                            • Opcode Fuzzy Hash: d9c3cb20539db42e6b7efb4e8fc9611088d834d011569b2c20f48e4ae902f5aa
                                                                                                            • Instruction Fuzzy Hash: 0B122BB4A00229CFCB64EF74D89869DB7B6BF88205F5084E9D60AA3744DF748E81CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B11C1, Relevance: 3.4, APIs: 2, Instructions: 444libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 243558500-0
                                                                                                            • Opcode ID: f076eb7060473f26771a23db84aa9b030b886a9b1f91e98d4ddda098051c065c
                                                                                                            • Instruction ID: 4317cbdb762147d6ab317caad33a0862ef8e8de874034a7bf24c5c9997483283
                                                                                                            • Opcode Fuzzy Hash: f076eb7060473f26771a23db84aa9b030b886a9b1f91e98d4ddda098051c065c
                                                                                                            • Instruction Fuzzy Hash: 9C1219B4A00229CFCB64EF74D89869DB7B6BF88205F5094E9D60AA3344DF748E81CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B1509, Relevance: 3.4, APIs: 2, Instructions: 360libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 4328 13b1509-13b1530 4577 13b1530 call 121d751 4328->4577 4578 13b1530 call 121d940 4328->4578 4579 13b1530 call 121d689 4328->4579 4580 13b1530 call 121d7a8 4328->4580 4581 13b1530 call 121d7f8 4328->4581 4582 13b1530 call 121d848 4328->4582 4583 13b1530 call 121d8e8 4328->4583 4584 13b1530 call 121d99f 4328->4584 4332 13b1536-13b1578 4587 13b1578 call 121da00 4332->4587 4588 13b1578 call 121da60 4332->4588 4335 13b157e-13b1666 KiUserExceptionDispatcher 4594 13b1666 call 121e3c0 4335->4594 4595 13b1666 call 121e3bc 4335->4595 4344 13b166c-13b16ae 4598 13b16ae call 121e997 4344->4598 4599 13b16ae call 121e9f7 4344->4599 4600 13b16ae call 121e998 4344->4600 4347 13b16b4-13b16f6 4601 13b16f6 call 121eb17 4347->4601 4602 13b16f6 call 121eab8 4347->4602 4603 13b16f6 call 121ea5a 4347->4603 4350 13b16fc-13b1775 4570 13b177b call 121eca5 4350->4570 4571 13b177b call 121ebd8 4350->4571 4572 13b177b call 121eb7a 4350->4572 4357 13b1781-13b17a3 4573 13b17a5 call 121ed70 4357->4573 4574 13b17a5 call 121ed68 4357->4574 4361 13b17ab-13b17d1 4575 13b17d3 call 121ed70 4361->4575 4576 13b17d3 call 121ed68 4361->4576 4365 13b17d9-13b17ff 4585 13b1801 call 121ed70 4365->4585 4586 13b1801 call 121ed68 4365->4586 4369 13b1807-13b182d 4589 13b182f call 121ed70 4369->4589 4590 13b182f call 121ed68 4369->4590 4373 13b1835-13b185b 4592 13b185d call 121ed70 4373->4592 4593 13b185d call 121ed68 4373->4593 4377 13b1863-13b18cf LdrInitializeThunk 4378 13b1be9-13b1bf3 4377->4378 4379 13b18d5-13b18f9 4377->4379 4380 13b1bf9-13b1c1c 4378->4380 4381 13b1edf-13b1ef0 4378->4381 4390 13b1a4a-13b1a6e 4379->4390 4391 13b18ff 4379->4391 4398 13b1c22-13b1c94 4380->4398 4399 13b1ec7-13b1edc 4380->4399 4386 13b1ef6-13b1efd 4381->4386 4387 13b2255-13b225c 4381->4387 4393 13b1f03-13b1f11 4386->4393 4394 13b1f94-13b1f9b 4386->4394 4388 13b22de-13b22e8 4387->4388 4389 13b2262-13b22d3 4387->4389 4395 13b22ea-13b2327 4388->4395 4396 13b232e-13b2340 4388->4396 4389->4388 4416 13b1a70 4390->4416 4417 13b1a74-13b1a76 4390->4417 4391->4390 4397 13b1905-13b1a45 4391->4397 4596 13b1f17 call 121f770 4393->4596 4597 13b1f17 call 121f780 4393->4597 4400 13b210b-13b2112 4394->4400 4401 13b1fa1-13b20e6 4394->4401 4395->4396 4397->4378 4440 13b1c9a-13b1ca1 4398->4440 4441 13b1eaf-13b1ec1 4398->4441 4399->4381 4400->4387 4404 13b2118-13b2238 4400->4404 4401->4387 4404->4387 4423 13b1a78 4416->4423 4424 13b1a72 4416->4424 4426 13b1a7d-13b1aa7 4417->4426 4423->4426 4424->4417 4425 13b1f1d-13b1f5d call 13618e8 4455 13b1f63 4425->4455 4450 13b1aa9 4426->4450 4451 13b1aad-13b1aaf 4426->4451 4447 13b1db2-13b1ddd 4440->4447 4448 13b1ca7-13b1dad 4440->4448 4441->4398 4441->4399 4447->4441 4454 13b1de3-13b1e86 4447->4454 4448->4441 4456 13b1aab 4450->4456 4457 13b1ab1 4450->4457 4458 13b1ab6-13b1abc 4451->4458 4454->4441 4455->4387 4456->4451 4457->4458 4458->4378 4463 13b1ac2-13b1bc0 4458->4463 4463->4378 4570->4357 4571->4357 4572->4357 4573->4361 4574->4361 4575->4365 4576->4365 4577->4332 4578->4332 4579->4332 4580->4332 4581->4332 4582->4332 4583->4332 4584->4332 4585->4369 4586->4369 4587->4335 4588->4335 4589->4373 4590->4373 4592->4377 4593->4377 4594->4344 4595->4344 4596->4425 4597->4425 4598->4347 4599->4347 4600->4347 4601->4350 4602->4350 4603->4350
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 243558500-0
                                                                                                            • Opcode ID: 052e0fcb339b2539f4ae4991cf59eea02e565d192a6b18bff09756561e61de4b
                                                                                                            • Instruction ID: a30a09b5806ba309a4a6c0d77d38b1e146f570a61fa2cb3dbaacead08695c4ad
                                                                                                            • Opcode Fuzzy Hash: 052e0fcb339b2539f4ae4991cf59eea02e565d192a6b18bff09756561e61de4b
                                                                                                            • Instruction Fuzzy Hash: 98F11974A102288FCB64EF74D89879DB6BABF88305F5094E9E50AA3344DF749E81CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B1551, Relevance: 3.4, APIs: 2, Instructions: 353libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 4604 13b1551-13b1568 4606 13b1573-13b1578 4604->4606 4858 13b1578 call 121da00 4606->4858 4859 13b1578 call 121da60 4606->4859 4608 13b157e-13b1590 4609 13b1597-13b15d2 KiUserExceptionDispatcher 4608->4609 4611 13b15dc-13b15ee 4609->4611 4612 13b15f5-13b161e 4611->4612 4614 13b1624-13b1636 4612->4614 4615 13b163d-13b1666 4614->4615 4865 13b1666 call 121e3c0 4615->4865 4866 13b1666 call 121e3bc 4615->4866 4617 13b166c-13b167e 4618 13b1685-13b16ae 4617->4618 4843 13b16ae call 121e997 4618->4843 4844 13b16ae call 121e9f7 4618->4844 4845 13b16ae call 121e998 4618->4845 4620 13b16b4-13b16c6 4621 13b16cd-13b16f6 4620->4621 4846 13b16f6 call 121eb17 4621->4846 4847 13b16f6 call 121eab8 4621->4847 4848 13b16f6 call 121ea5a 4621->4848 4623 13b16fc-13b1764 4629 13b176f-13b1775 4623->4629 4849 13b177b call 121eca5 4629->4849 4850 13b177b call 121ebd8 4629->4850 4851 13b177b call 121eb7a 4629->4851 4630 13b1781-13b1798 4633 13b17a3 4630->4633 4852 13b17a5 call 121ed70 4633->4852 4853 13b17a5 call 121ed68 4633->4853 4634 13b17ab-13b17c6 4637 13b17d1 4634->4637 4854 13b17d3 call 121ed70 4637->4854 4855 13b17d3 call 121ed68 4637->4855 4638 13b17d9-13b17f4 4641 13b17ff 4638->4641 4856 13b1801 call 121ed70 4641->4856 4857 13b1801 call 121ed68 4641->4857 4642 13b1807-13b1822 4645 13b182d 4642->4645 4860 13b182f call 121ed70 4645->4860 4861 13b182f call 121ed68 4645->4861 4646 13b1835-13b1850 4649 13b185b 4646->4649 4863 13b185d call 121ed70 4649->4863 4864 13b185d call 121ed68 4649->4864 4650 13b1863-13b18cf LdrInitializeThunk 4651 13b1be9-13b1bf3 4650->4651 4652 13b18d5-13b18f9 4650->4652 4653 13b1bf9-13b1c1c 4651->4653 4654 13b1edf-13b1ef0 4651->4654 4663 13b1a4a-13b1a6e 4652->4663 4664 13b18ff 4652->4664 4671 13b1c22-13b1c94 4653->4671 4672 13b1ec7-13b1edc 4653->4672 4659 13b1ef6-13b1efd 4654->4659 4660 13b2255-13b225c 4654->4660 4666 13b1f03-13b1f09 4659->4666 4667 13b1f94-13b1f9b 4659->4667 4661 13b22de-13b22e8 4660->4661 4662 13b2262-13b22d3 4660->4662 4668 13b22ea-13b2318 4661->4668 4669 13b232e-13b2340 4661->4669 4662->4661 4689 13b1a70 4663->4689 4690 13b1a74-13b1a76 4663->4690 4664->4663 4670 13b1905-13b1a45 4664->4670 4686 13b1f11 4666->4686 4673 13b210b-13b2112 4667->4673 4674 13b1fa1-13b20e6 4667->4674 4712 13b231f-13b2327 4668->4712 4670->4651 4713 13b1c9a-13b1ca1 4671->4713 4714 13b1eaf-13b1ec1 4671->4714 4672->4654 4673->4660 4677 13b2118-13b2238 4673->4677 4674->4660 4677->4660 4867 13b1f17 call 121f770 4686->4867 4868 13b1f17 call 121f780 4686->4868 4696 13b1a78 4689->4696 4697 13b1a72 4689->4697 4699 13b1a7d-13b1aa7 4690->4699 4696->4699 4697->4690 4698 13b1f1d-13b1f3c 4716 13b1f47-13b1f5d call 13618e8 4698->4716 4723 13b1aa9 4699->4723 4724 13b1aad-13b1aaf 4699->4724 4712->4669 4720 13b1db2-13b1ddd 4713->4720 4721 13b1ca7-13b1dad 4713->4721 4714->4671 4714->4672 4728 13b1f63 4716->4728 4720->4714 4727 13b1de3-13b1e86 4720->4727 4721->4714 4729 13b1aab 4723->4729 4730 13b1ab1 4723->4730 4731 13b1ab6-13b1abc 4724->4731 4727->4714 4728->4660 4729->4724 4730->4731 4731->4651 4736 13b1ac2-13b1bc0 4731->4736 4736->4651 4843->4620 4844->4620 4845->4620 4846->4623 4847->4623 4848->4623 4849->4630 4850->4630 4851->4630 4852->4634 4853->4634 4854->4638 4855->4638 4856->4642 4857->4642 4858->4608 4859->4608 4860->4646 4861->4646 4863->4650 4864->4650 4865->4617 4866->4617 4867->4698 4868->4698
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 243558500-0
                                                                                                            • Opcode ID: 8910bf4479a2535f90ba4339947e8a624219fe92b3d3d33ca873dd6aaaeda729
                                                                                                            • Instruction ID: 668b3be19deeba37f0bad47d6b66287bd1061b2b9b95b5cdbd66365487758ebe
                                                                                                            • Opcode Fuzzy Hash: 8910bf4479a2535f90ba4339947e8a624219fe92b3d3d33ca873dd6aaaeda729
                                                                                                            • Instruction Fuzzy Hash: B2E11A74A002298FCB64EF74D89879DB6BABF88305F5094E9E50AA3344DF749E81CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B1599, Relevance: 3.3, APIs: 2, Instructions: 346libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 4869 13b1599-13b15b0 4871 13b15bb-13b15d2 KiUserExceptionDispatcher 4869->4871 4873 13b15dc-13b15ee 4871->4873 4874 13b15f5-13b161e 4873->4874 4876 13b1624-13b1636 4874->4876 4877 13b163d-13b1666 4876->4877 5111 13b1666 call 121e3c0 4877->5111 5112 13b1666 call 121e3bc 4877->5112 4879 13b166c-13b167e 4880 13b1685-13b16ae 4879->4880 5119 13b16ae call 121e997 4880->5119 5120 13b16ae call 121e9f7 4880->5120 5121 13b16ae call 121e998 4880->5121 4882 13b16b4-13b16c6 4883 13b16cd-13b16f6 4882->4883 5124 13b16f6 call 121eb17 4883->5124 5125 13b16f6 call 121eab8 4883->5125 5126 13b16f6 call 121ea5a 4883->5126 4885 13b16fc-13b1764 4891 13b176f-13b1775 4885->4891 5105 13b177b call 121eca5 4891->5105 5106 13b177b call 121ebd8 4891->5106 5107 13b177b call 121eb7a 4891->5107 4892 13b1781-13b1798 4895 13b17a3 4892->4895 5115 13b17a5 call 121ed70 4895->5115 5116 13b17a5 call 121ed68 4895->5116 4896 13b17ab-13b17c6 4899 13b17d1 4896->4899 5122 13b17d3 call 121ed70 4899->5122 5123 13b17d3 call 121ed68 4899->5123 4900 13b17d9-13b17f4 4903 13b17ff 4900->4903 5127 13b1801 call 121ed70 4903->5127 5128 13b1801 call 121ed68 4903->5128 4904 13b1807-13b1822 4907 13b182d 4904->4907 5108 13b182f call 121ed70 4907->5108 5109 13b182f call 121ed68 4907->5109 4908 13b1835-13b1850 4911 13b185b 4908->4911 5117 13b185d call 121ed70 4911->5117 5118 13b185d call 121ed68 4911->5118 4912 13b1863-13b18cf LdrInitializeThunk 4913 13b1be9-13b1bf3 4912->4913 4914 13b18d5-13b18f9 4912->4914 4915 13b1bf9-13b1c1c 4913->4915 4916 13b1edf-13b1ef0 4913->4916 4925 13b1a4a-13b1a6e 4914->4925 4926 13b18ff 4914->4926 4933 13b1c22-13b1c94 4915->4933 4934 13b1ec7-13b1edc 4915->4934 4921 13b1ef6-13b1efd 4916->4921 4922 13b2255-13b225c 4916->4922 4928 13b1f03-13b1f09 4921->4928 4929 13b1f94-13b1f9b 4921->4929 4923 13b22de-13b22e8 4922->4923 4924 13b2262-13b22d3 4922->4924 4930 13b22ea-13b2318 4923->4930 4931 13b232e-13b2340 4923->4931 4924->4923 4951 13b1a70 4925->4951 4952 13b1a74-13b1a76 4925->4952 4926->4925 4932 13b1905-13b1a45 4926->4932 4948 13b1f11 4928->4948 4935 13b210b-13b2112 4929->4935 4936 13b1fa1-13b20e6 4929->4936 4974 13b231f-13b2327 4930->4974 4932->4913 4975 13b1c9a-13b1ca1 4933->4975 4976 13b1eaf-13b1ec1 4933->4976 4934->4916 4935->4922 4939 13b2118-13b2238 4935->4939 4936->4922 4939->4922 5113 13b1f17 call 121f770 4948->5113 5114 13b1f17 call 121f780 4948->5114 4958 13b1a78 4951->4958 4959 13b1a72 4951->4959 4961 13b1a7d-13b1aa7 4952->4961 4958->4961 4959->4952 4960 13b1f1d-13b1f3c 4978 13b1f47-13b1f5d call 13618e8 4960->4978 4985 13b1aa9 4961->4985 4986 13b1aad-13b1aaf 4961->4986 4974->4931 4982 13b1db2-13b1ddd 4975->4982 4983 13b1ca7-13b1dad 4975->4983 4976->4933 4976->4934 4990 13b1f63 4978->4990 4982->4976 4989 13b1de3-13b1e86 4982->4989 4983->4976 4991 13b1aab 4985->4991 4992 13b1ab1 4985->4992 4993 13b1ab6-13b1abc 4986->4993 4989->4976 4990->4922 4991->4986 4992->4993 4993->4913 4998 13b1ac2-13b1bc0 4993->4998 4998->4913 5105->4892 5106->4892 5107->4892 5108->4908 5109->4908 5111->4879 5112->4879 5113->4960 5114->4960 5115->4896 5116->4896 5117->4912 5118->4912 5119->4882 5120->4882 5121->4882 5122->4900 5123->4900 5124->4885 5125->4885 5126->4885 5127->4904 5128->4904
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 013B15C0
                                                                                                            • LdrInitializeThunk.NTDLL ref: 013B1869
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 243558500-0
                                                                                                            • Opcode ID: 3504bb3ec2ad380000f6feec3dc6b471300db24547b9ae81cfa2f96c6f5656bd
                                                                                                            • Instruction ID: ed90a3193629287279e787bb52e98cd288e7e41dbaea6a54e26c3a46da1941e5
                                                                                                            • Opcode Fuzzy Hash: 3504bb3ec2ad380000f6feec3dc6b471300db24547b9ae81cfa2f96c6f5656bd
                                                                                                            • Instruction Fuzzy Hash: A5E11974A002288BCB64EF74D89879DB6BABF88205F5094E9D50AA3344DF748E81CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 013B15F7, Relevance: 1.8, APIs: 1, Instructions: 335libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 7430 13b15f7-13b160e 7432 13b1619-13b161e 7430->7432 7434 13b1624-13b1636 7432->7434 7435 13b163d-13b1666 7434->7435 7673 13b1666 call 121e3c0 7435->7673 7674 13b1666 call 121e3bc 7435->7674 7437 13b166c-13b167e 7438 13b1685-13b16ae 7437->7438 7677 13b16ae call 121e997 7438->7677 7678 13b16ae call 121e9f7 7438->7678 7679 13b16ae call 121e998 7438->7679 7440 13b16b4-13b16c6 7441 13b16cd-13b16f6 7440->7441 7682 13b16f6 call 121eb17 7441->7682 7683 13b16f6 call 121eab8 7441->7683 7684 13b16f6 call 121ea5a 7441->7684 7443 13b16fc-13b1764 7449 13b176f-13b1775 7443->7449 7663 13b177b call 121eca5 7449->7663 7664 13b177b call 121ebd8 7449->7664 7665 13b177b call 121eb7a 7449->7665 7450 13b1781-13b1798 7453 13b17a3 7450->7453 7669 13b17a5 call 121ed70 7453->7669 7670 13b17a5 call 121ed68 7453->7670 7454 13b17ab-13b17c6 7457 13b17d1 7454->7457 7680 13b17d3 call 121ed70 7457->7680 7681 13b17d3 call 121ed68 7457->7681 7458 13b17d9-13b17f4 7461 13b17ff 7458->7461 7685 13b1801 call 121ed70 7461->7685 7686 13b1801 call 121ed68 7461->7686 7462 13b1807-13b1822 7465 13b182d 7462->7465 7666 13b182f call 121ed70 7465->7666 7667 13b182f call 121ed68 7465->7667 7466 13b1835-13b1850 7469 13b185b 7466->7469 7671 13b185d call 121ed70 7469->7671 7672 13b185d call 121ed68 7469->7672 7470 13b1863-13b18cf LdrInitializeThunk 7471 13b1be9-13b1bf3 7470->7471 7472 13b18d5-13b18f9 7470->7472 7473 13b1bf9-13b1c1c 7471->7473 7474 13b1edf-13b1ef0 7471->7474 7483 13b1a4a-13b1a6e 7472->7483 7484 13b18ff 7472->7484 7491 13b1c22-13b1c94 7473->7491 7492 13b1ec7-13b1edc 7473->7492 7479 13b1ef6-13b1efd 7474->7479 7480 13b2255-13b225c 7474->7480 7486 13b1f03-13b1f09 7479->7486 7487 13b1f94-13b1f9b 7479->7487 7481 13b22de-13b22e8 7480->7481 7482 13b2262-13b22d3 7480->7482 7488 13b22ea-13b2318 7481->7488 7489 13b232e-13b2340 7481->7489 7482->7481 7509 13b1a70 7483->7509 7510 13b1a74-13b1a76 7483->7510 7484->7483 7490 13b1905-13b1a45 7484->7490 7506 13b1f11 7486->7506 7493 13b210b-13b2112 7487->7493 7494 13b1fa1-13b20e6 7487->7494 7532 13b231f-13b2327 7488->7532 7490->7471 7533 13b1c9a-13b1ca1 7491->7533 7534 13b1eaf-13b1ec1 7491->7534 7492->7474 7493->7480 7497 13b2118-13b2238 7493->7497 7494->7480 7497->7480 7675 13b1f17 call 121f770 7506->7675 7676 13b1f17 call 121f780 7506->7676 7516 13b1a78 7509->7516 7517 13b1a72 7509->7517 7519 13b1a7d-13b1aa7 7510->7519 7516->7519 7517->7510 7518 13b1f1d-13b1f3c 7536 13b1f47-13b1f5d call 13618e8 7518->7536 7543 13b1aa9 7519->7543 7544 13b1aad-13b1aaf 7519->7544 7532->7489 7540 13b1db2-13b1ddd 7533->7540 7541 13b1ca7-13b1dad 7533->7541 7534->7491 7534->7492 7548 13b1f63 7536->7548 7540->7534 7547 13b1de3-13b1e86 7540->7547 7541->7534 7549 13b1aab 7543->7549 7550 13b1ab1 7543->7550 7551 13b1ab6-13b1abc 7544->7551 7547->7534 7548->7480 7549->7544 7550->7551 7551->7471 7556 13b1ac2-13b1bc0 7551->7556 7556->7471 7663->7450 7664->7450 7665->7450 7666->7466 7667->7466 7669->7454 7670->7454 7671->7470 7672->7470 7673->7437 7674->7437 7675->7518 7676->7518 7677->7440 7678->7440 7679->7440 7680->7458 7681->7458 7682->7443 7683->7443 7684->7443 7685->7462 7686->7462
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548982373.00000000013B0000.00000040.00000010.sdmp, Offset: 013B0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_13b0000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2994545307-0
                                                                                                            • Opcode ID: 636b00647e9859db6a2b5c3548d6ceeb3ca67aa41028010a9957081ba517de26
                                                                                                            • Instruction ID: 1d101822dde6528e898ed27269f491743817dcd3326210a23d56e969549b1189
                                                                                                            • Opcode Fuzzy Hash: 636b00647e9859db6a2b5c3548d6ceeb3ca67aa41028010a9957081ba517de26
                                                                                                            • Instruction Fuzzy Hash: 87E11974A102298BCB64EF74D8987ADB6BABF88305F5084E9D50AE3344DF748E81CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0121DBC9, Relevance: 1.7, APIs: 1, Instructions: 169libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 7926 121dbc9-121dbe7 7927 121dbe9-121dbf3 7926->7927 7928 121dc0c-121dc5f 7926->7928 7929 121dbf5-121dc06 7927->7929 7930 121dc08-121dc0b 7927->7930 7937 121dc67-121dc6d 7928->7937 7929->7930 7938 121dc74 7937->7938 7939 121dc7b-121dc92 LdrInitializeThunk 7938->7939 7940 121dc98-121dcb2 7939->7940 7941 121dddb-121ddf8 7939->7941 7940->7941 7944 121dcb8-121dcd2 7940->7944 7952 121ddfd-121de06 7941->7952 7948 121dcd4-121dcd6 7944->7948 7949 121dcd8 7944->7949 7950 121dcdb-121dd36 call 121aae4 7948->7950 7949->7950 7960 121dd38-121dd3a 7950->7960 7961 121dd3c 7950->7961 7962 121dd3f-121ddd9 call 121aae4 7960->7962 7961->7962 7962->7952
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548457731.0000000001210000.00000040.00000010.sdmp, Offset: 01210000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1210000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2994545307-0
                                                                                                            • Opcode ID: 8357b6e783c4f1e142471927e17e3fb45d34d48dd4e93ec99da3ee3d23bd299d
                                                                                                            • Instruction ID: ddae132379d68c5b695b3db985a52ced7cc860e05925aad036d8be2b11d3025a
                                                                                                            • Opcode Fuzzy Hash: 8357b6e783c4f1e142471927e17e3fb45d34d48dd4e93ec99da3ee3d23bd299d
                                                                                                            • Instruction Fuzzy Hash: 3451F531A10309DFCB04EFB4C898AAE7BF9BF95304F14896AE516DB299DF70D8058B50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0121DC28, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 7980 121dc28-121dc92 LdrInitializeThunk 7988 121dc98-121dcb2 7980->7988 7989 121dddb-121ddf8 7980->7989 7988->7989 7992 121dcb8-121dcd2 7988->7992 8000 121ddfd-121de06 7989->8000 7996 121dcd4-121dcd6 7992->7996 7997 121dcd8 7992->7997 7998 121dcdb-121dd36 call 121aae4 7996->7998 7997->7998 8008 121dd38-121dd3a 7998->8008 8009 121dd3c 7998->8009 8010 121dd3f-121ddd9 call 121aae4 8008->8010 8009->8010 8010->8000
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548457731.0000000001210000.00000040.00000010.sdmp, Offset: 01210000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1210000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2994545307-0
                                                                                                            • Opcode ID: 93d463b1085ca09de59b83ff7180b1b8e12c59aa1606006fa3d2100c234a212d
                                                                                                            • Instruction ID: 162173f42528ec631f7857b87f7c08d9a0273147caa67aeb49e7480ad158ac7a
                                                                                                            • Opcode Fuzzy Hash: 93d463b1085ca09de59b83ff7180b1b8e12c59aa1606006fa3d2100c234a212d
                                                                                                            • Instruction Fuzzy Hash: 8B51B731A10309DFCB14EFB4C848AAEB7F9BF94314F548969D5069B289DF71D905CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01360B68, Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548894023.0000000001360000.00000040.00000010.sdmp, Offset: 01360000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1360000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9cf1a008330c01a3547c58233df2a328b0a8a7dcae9b72c3ca9e47aa67145cf0
                                                                                                            • Instruction ID: 13c9d37d6b7f15fb7e4360fb2dbfa477ae6151465414b0ee6c826867d74dad85
                                                                                                            • Opcode Fuzzy Hash: 9cf1a008330c01a3547c58233df2a328b0a8a7dcae9b72c3ca9e47aa67145cf0
                                                                                                            • Instruction Fuzzy Hash: 67415671D043858FCB04CFB9C8006EEFFF4AF85214F0985AED544A7241EB749845CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F7EF58, Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.546976953.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_f70000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InitializeThunk
                                                                                                            • String ID:
                                                                                                            • API String ID: 2994545307-0
                                                                                                            • Opcode ID: 4e47c948f2662798fa449f243b2850283ca110720e9b8f780061eda02f810b0e
                                                                                                            • Instruction ID: de0446873e93f8b80a0973bcbef2ec1deb0af9620185648bb6cffca1fd8e9aec
                                                                                                            • Opcode Fuzzy Hash: 4e47c948f2662798fa449f243b2850283ca110720e9b8f780061eda02f810b0e
                                                                                                            • Instruction Fuzzy Hash: 7231AC34A04388DFDB05DBB8D454AA97BF1AF85304F14C4BAD009EB2A6DB319C4ACB42
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F79B58, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00F79C11
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.546976953.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_f70000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3660427363-0
                                                                                                            • Opcode ID: 681a4568f9496f8be7e794331f49884c02666de91f3de63b49e171db0ff7a43b
                                                                                                            • Instruction ID: 469e876b62b49134d9c3a3ee55b3a83933390baef9dd47c1e2886b3acf32b119
                                                                                                            • Opcode Fuzzy Hash: 681a4568f9496f8be7e794331f49884c02666de91f3de63b49e171db0ff7a43b
                                                                                                            • Instruction Fuzzy Hash: 1231F0B1D042589FCB20CF9AD884ACEFBF5BF48714F14802AE819AB310D7B09945DFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F7989A, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00F79954
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.546976953.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_f70000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open
                                                                                                            • String ID:
                                                                                                            • API String ID: 71445658-0
                                                                                                            • Opcode ID: 2a8277bbe32b9232ab1d8f02f5f08f3346833e6bc227289bc61713c9eadf77d6
                                                                                                            • Instruction ID: 3df2c295b5630aba52dcddf5cd17bf99022c300cf953afed9bf342d642906fbc
                                                                                                            • Opcode Fuzzy Hash: 2a8277bbe32b9232ab1d8f02f5f08f3346833e6bc227289bc61713c9eadf77d6
                                                                                                            • Instruction Fuzzy Hash: A631EFB0D042889FDB10CFA9C584A8EFBF5AF48314F28C16ED509AB241C7B59845CF91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 00F798A0, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00F79954
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.546976953.0000000000F70000.00000040.00000010.sdmp, Offset: 00F70000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_f70000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open
                                                                                                            • String ID:
                                                                                                            • API String ID: 71445658-0
                                                                                                            • Opcode ID: 42938c06d1260448b747aaad7dbf0f1a47cac1054bab8d5381d32f4105050cd2
                                                                                                            • Instruction ID: bdd7fcfd5c51ab7caf41ae0a87d3aef9d95706686de4e693cfd0e29573a21259
                                                                                                            • Opcode Fuzzy Hash: 42938c06d1260448b747aaad7dbf0f1a47cac1054bab8d5381d32f4105050cd2
                                                                                                            • Instruction Fuzzy Hash: DD31ECB0D042499FDB10CF99C584A8EFBF5AF48314F28C16AE909AB341D7B59885CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01362120, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 013621A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548894023.0000000001360000.00000040.00000010.sdmp, Offset: 01360000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1360000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HookWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 2559412058-0
                                                                                                            • Opcode ID: 6b7298391b4d72e1b76d27c051a23f986ff830bd21049dba2d65eaeb1e3427f8
                                                                                                            • Instruction ID: a20a7094909eec8b9377cf82ffa5eed29b9e458f116e18cedc580efe87e5258d
                                                                                                            • Opcode Fuzzy Hash: 6b7298391b4d72e1b76d27c051a23f986ff830bd21049dba2d65eaeb1e3427f8
                                                                                                            • Instruction Fuzzy Hash: 31216575D042089FCB10CFA9C844BEEFBF9AF88314F14842AE419A3250C7B4A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0136A9E8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0136BC29,00000800), ref: 0136BCBA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548894023.0000000001360000.00000040.00000010.sdmp, Offset: 01360000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1360000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 233780d2a797950aaa9b168bc97cb8587ea82183bd2066e7f9daaa066822d055
                                                                                                            • Instruction ID: c773d3533300496b98ab557a7e47fb0587e9eec9c54d7941de906d0f64c0e553
                                                                                                            • Opcode Fuzzy Hash: 233780d2a797950aaa9b168bc97cb8587ea82183bd2066e7f9daaa066822d055
                                                                                                            • Instruction Fuzzy Hash: 841103B69002089FDB10CF9AC444ADEFBF8EB88324F14842AE915A7604C775A945CFA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 01360C3A, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 01360CA7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548894023.0000000001360000.00000040.00000010.sdmp, Offset: 01360000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1360000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1890195054-0
                                                                                                            • Opcode ID: aeab70e9d02e5b19718707ede3c811a0f07208eb31641b8924aa2803e6555c48
                                                                                                            • Instruction ID: 29ba0e3ee776287d9f30fbc33c07a453d9065ac4fd91162777756e2ec4e5be07
                                                                                                            • Opcode Fuzzy Hash: aeab70e9d02e5b19718707ede3c811a0f07208eb31641b8924aa2803e6555c48
                                                                                                            • Instruction Fuzzy Hash: 911133B1C002599FCB10CFAAC445BEEFBF4AF48224F15856AD814B7640D378A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0136BC4A, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0136BC29,00000800), ref: 0136BCBA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548894023.0000000001360000.00000040.00000010.sdmp, Offset: 01360000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_1360000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: d6d26bb2db7c9de789ba381f334c02b85481409e86a62ad7f100f1b15d123af5
                                                                                                            • Instruction ID: be56d55050db89baff0c512fb37f4c720d73426cdaf25038c01fb43aed0f1ce8
                                                                                                            • Opcode Fuzzy Hash: d6d26bb2db7c9de789ba381f334c02b85481409e86a62ad7f100f1b15d123af5
                                                                                                            • Instruction Fuzzy Hash: 101133B6D003089FDB10CFA9D444AEEFBF8AF98324F14842ED515A7600C375A945CFA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0131D53C, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548722449.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_131d000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3a92b740a8f7e02b567f26653e46b6b8ecb1e9b177814ca05f14184ac6ce43de
                                                                                                            • Instruction ID: a5b5774a3f5a509e1a2b31a4a531931c4fc9aa1f232654ad9c46df3308d48b7e
                                                                                                            • Opcode Fuzzy Hash: 3a92b740a8f7e02b567f26653e46b6b8ecb1e9b177814ca05f14184ac6ce43de
                                                                                                            • Instruction Fuzzy Hash: A9213A71500244EFDF09DF94D9C4B27BF69FB9432CF248969E8054B24AC336D456DBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0131D450, Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548722449.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_131d000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6b5937f606edbd202bddc02422b617d9e08e8d045a3d4778d14f1076b36f6eea
                                                                                                            • Instruction ID: f845e638d397f4c3d0b5e988e6e6d38065727cc4057af5dded1729c5994768dd
                                                                                                            • Opcode Fuzzy Hash: 6b5937f606edbd202bddc02422b617d9e08e8d045a3d4778d14f1076b36f6eea
                                                                                                            • Instruction Fuzzy Hash: 48214571500244EFDB09DF94D9C8B67BF69FB88328F248568E8051B20BCB36E855CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0132D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548788604.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_132d000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9e9d379d0792c20edeb0275febde3f3790366db59756d216cf35cd127d8a90bf
                                                                                                            • Instruction ID: bc93f045cab7d945617c16dc78269e8e034cf1a400dc1856e91b47e0d55727d1
                                                                                                            • Opcode Fuzzy Hash: 9e9d379d0792c20edeb0275febde3f3790366db59756d216cf35cd127d8a90bf
                                                                                                            • Instruction Fuzzy Hash: 43213771504244DFCB15EF94D9C0B16BBA9FB84368F24C969D8490B756C33AD847CB61
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0132D006, Relevance: .1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548788604.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_132d000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c2ef88c5e29bc6939de09fb2699330bd794ee31e17d96722ab5f9a3ff45fdeca
                                                                                                            • Instruction ID: 3721f63c8ed140cd2e2df64d52880992374449d735c2f2ba2f80966169e100d4
                                                                                                            • Opcode Fuzzy Hash: c2ef88c5e29bc6939de09fb2699330bd794ee31e17d96722ab5f9a3ff45fdeca
                                                                                                            • Instruction Fuzzy Hash: C62180754083809FCB03DF64D994B11BF71EB46214F28C5DAD8458F2A7C33A9856CB62
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0131D537, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548722449.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_131d000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 42e51dbedfba481cd5c91b0aaf319ba9b84bc14884d9ed747bd0ea32b821295d
                                                                                                            • Instruction ID: c0f57dd9f957f76782ad0d692da10c9d9652329028bd6810acac6010b66db948
                                                                                                            • Opcode Fuzzy Hash: 42e51dbedfba481cd5c91b0aaf319ba9b84bc14884d9ed747bd0ea32b821295d
                                                                                                            • Instruction Fuzzy Hash: AF11D376404280CFCF06CF54D9C4B16BF72FB85328F24C6A9D8494B65AC33AD466CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0131D44B, Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.548722449.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_131d000_RegSvcs.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 42e51dbedfba481cd5c91b0aaf319ba9b84bc14884d9ed747bd0ea32b821295d
                                                                                                            • Instruction ID: fa26fd8f89988c864fbddf0a41381d8e1890a86896509a238791ef510705635c
                                                                                                            • Opcode Fuzzy Hash: 42e51dbedfba481cd5c91b0aaf319ba9b84bc14884d9ed747bd0ea32b821295d
                                                                                                            • Instruction Fuzzy Hash: 9211BE76404280CFDF16CF54D9C4B16BF71FB89328F2886A9D8050B65BC33AD45ACBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions