Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL - OVERDUE ACCOUNT - 1301154822.exe

Overview

General Information

Sample Name:DHL - OVERDUE ACCOUNT - 1301154822.exe
Analysis ID:635263
MD5:420273f8012dc23eff9195fa55f878d9
SHA1:3927ab6547e261c3f12592210bad348a8a0e0d95
SHA256:da1c892564b950627b9643b9bacb000a6b79f500a75faef4f76c81b974319c83
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@szlikestechs.com", "Password": "H$sCdQv5", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.283147306.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.283147306.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.284135200.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.284135200.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.288320450.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b00:$s10: logins
                • 0x32567:$s11: credential
                • 0x2eb6e:$g1: get_Clipboard
                • 0x2eb7c:$g2: get_Keyboard
                • 0x2eb89:$g3: get_Password
                • 0x2fe72:$g4: get_CtrlKeyDown
                • 0x2fe82:$g5: get_ShiftKeyDown
                • 0x2fe93:$g6: get_AltKeyDown
                4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 33 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@szlikestechs.com", "Password": "H$sCdQv5", "Host": "us2.smtp.mailhostbox.com"}
                    Multi AV Scanner detection for submitted file
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeReversingLabs: Detection: 17%
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\FFPXqNsgHE\src\obj\x86\Debug\ActivityTrac.pdb source: DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\FFPXqNsgHE\src\obj\x86\Debug\ActivityTrac.pdb`3 source: DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: Joe Sandbox ViewIP Address: 162.222.225.16 162.222.225.16
                    Source: global trafficTCP traffic: 192.168.2.4:49760 -> 162.222.225.16:587
                    Source: global trafficTCP traffic: 192.168.2.4:49760 -> 162.222.225.16:587
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://KjYRZa.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516512148.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeString found in binary or memory: https://github.com
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeString found in binary or memory: https://github.com/dcoetzee/plants-vs-zombies-user-file-editor
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517589651.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517699531.000000000302A000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517634868.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jWSBfT0ukRWLv8I.org
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517589651.0000000002FC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://jWSBfT0ukRWLv8I.org8
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.7370000.9.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.7370000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3baa318.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3baa318.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 00000000.00000002.296993715.0000000007370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bC9F94395u002dBB6Cu002d42BEu002dA7FAu002dD6177E20D25Du007d/u003656839F3u002dEFA6u002d4F4Eu002d9DECu002d736CEA65FC07.csLarge array initialization: .cctor: array initializer size 11600
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC9F94395u002dBB6Cu002d42BEu002dA7FAu002dD6177E20D25Du007d/u003656839F3u002dEFA6u002d4F4Eu002d9DECu002d736CEA65FC07.csLarge array initialization: .cctor: array initializer size 11600
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bC9F94395u002dBB6Cu002d42BEu002dA7FAu002dD6177E20D25Du007d/u003656839F3u002dEFA6u002d4F4Eu002d9DECu002d736CEA65FC07.csLarge array initialization: .cctor: array initializer size 11600
                    Source: 4.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC9F94395u002dBB6Cu002d42BEu002dA7FAu002dD6177E20D25Du007d/u003656839F3u002dEFA6u002d4F4Eu002d9DECu002d736CEA65FC07.csLarge array initialization: .cctor: array initializer size 11600
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.7370000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.7370000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3baa318.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3baa318.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 00000000.00000002.296993715.0000000007370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 0_2_006947140_2_00694714
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 0_2_0110F0710_2_0110F071
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 0_2_0110F0800_2_0110F080
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 0_2_0110D65C0_2_0110D65C
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_008D47144_2_008D4714
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0104F3804_2_0104F380
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0104F6C84_2_0104F6C8
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061775984_2_06177598
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0617D5B04_2_0617D5B0
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_06178DC04_2_06178DC0
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0617A8504_2_0617A850
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_06178C714_2_06178C71
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061732A84_2_061732A8
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_065227B44_2_065227B4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_065256304_2_06525630
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_065224A04_2_065224A0
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeBinary or memory string: OriginalFilename vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288320450.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXttjvzAUkSMhTszgeCgszbJvKNbIqfDysbK.exe4 vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.293031358.0000000003BAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXttjvzAUkSMhTszgeCgszbJvKNbIqfDysbK.exe4 vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.293031358.0000000003BAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000000.243932714.0000000000692000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameActivityTrac.exe" vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.296993715.0000000007370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeBinary or memory string: OriginalFilename vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000000.271133808.00000000008D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameActivityTrac.exe" vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000000.283147306.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXttjvzAUkSMhTszgeCgszbJvKNbIqfDysbK.exe4 vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.515909666.0000000000D38000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516306595.000000000105A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeBinary or memory string: OriginalFilenameActivityTrac.exe" vs DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeReversingLabs: Detection: 17%
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe "C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe"
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess created: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess created: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL - OVERDUE ACCOUNT - 1301154822.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\FFPXqNsgHE\src\obj\x86\Debug\ActivityTrac.pdb source: DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\FFPXqNsgHE\src\obj\x86\Debug\ActivityTrac.pdb`3 source: DHL - OVERDUE ACCOUNT - 1301154822.exe
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 0_2_0110BE00 pushad ; ret 0_2_0110BE01
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0617165E push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_06171662 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0617166A push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0617169E push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0617169A push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716B6 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716B2 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716BE push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716BA push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716A6 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716AE push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716AA push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716D6 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716D2 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716DE push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716DA push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716C6 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716C2 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716CE push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716CA push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716F6 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716F2 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716FE push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716FA push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716E6 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716E2 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716EE push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_061716EA push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_06171716 push es; ret 4_2_061718C4
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_06171712 push es; ret 4_2_061718C4
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75793863969
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile created: \dhl - overdue account - 1301154822.exe
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile created: \dhl - overdue account - 1301154822.exeJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.288320450.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL - OVERDUE ACCOUNT - 1301154822.exe PID: 3372, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288320450.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288320450.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe TID: 4532Thread sleep time: -43731s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe TID: 3532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe TID: 760Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe TID: 5208Thread sleep count: 5813 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe TID: 5208Thread sleep count: 3088 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWindow / User API: threadDelayed 5813Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWindow / User API: threadDelayed 3088Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeThread delayed: delay time: 43731Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516670814.0000000001149000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeCode function: 4_2_0617BEC8 LdrInitializeThunk,4_2_0617BEC8
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeMemory written: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeProcess created: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3baa318.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.283147306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.284135200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.293031358.0000000003BAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.283695298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.512729273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.278936192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL - OVERDUE ACCOUNT - 1301154822.exe PID: 3372, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DHL - OVERDUE ACCOUNT - 1301154822.exe PID: 4956, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: Yara matchFile source: 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL - OVERDUE ACCOUNT - 1301154822.exe PID: 4956, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3c14d58.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3be0738.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.3baa318.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.283147306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.284135200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.293031358.0000000003BAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.283695298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.512729273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.278936192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL - OVERDUE ACCOUNT - 1301154822.exe PID: 3372, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DHL - OVERDUE ACCOUNT - 1301154822.exe PID: 4956, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DHL - OVERDUE ACCOUNT - 1301154822.exe17%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.DHL - OVERDUE ACCOUNT - 1301154822.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://jWSBfT0ukRWLv8I.org80%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://ocsp.sectigo.com0A0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://jWSBfT0ukRWLv8I.org0%Avira URL Cloudsafe
                    http://KjYRZa.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		162.222.225.16
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/dcoetzee/plants-vs-zombies-user-file-editorDHL - OVERDUE ACCOUNT - 1301154822.exefalse
                              		high
                              https://sectigo.com/CPS0DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/?DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://us2.smtp.mailhostbox.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers?DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.comDHL - OVERDUE ACCOUNT - 1301154822.exefalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.tiro.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://jWSBfT0ukRWLv8I.org8DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517589651.0000000002FC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comlDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0ADHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517645879.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.520135336.00000000065D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000000.00000002.295687769.0000000006CB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://jWSBfT0ukRWLv8I.orgDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517589651.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517699531.000000000302A000.00000004.00000800.00020000.00000000.sdmp, DHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.517634868.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://KjYRZa.comDHL - OVERDUE ACCOUNT - 1301154822.exe, 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                162.222.225.16
                                                		us2.smtp.mailhostbox.comUnited States
                                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:635263
                                                Start date and time: 27/05/202218:05:312022-05-27 18:05:31 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 10m 27s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:DHL - OVERDUE ACCOUNT - 1301154822.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:24
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 38
                                                • Number of non-executed functions: 4
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Adjust boot time
                                                • Enable AMSI

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 52.242.101.226, 40.125.122.176, 20.54.89.106, 20.223.24.244
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: DHL - OVERDUE ACCOUNT - 1301154822.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:06:49API Interceptor681x Sleep call for process: DHL - OVERDUE ACCOUNT - 1301154822.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                162.222.225.16SecuriteInfo.com.W32.AIDetectNet.01.19565.exeGet hashmaliciousBrowse
                                                  Factura Proforma (C) n 31.exeGet hashmaliciousBrowse
                                                    rdKsSfT705.exeGet hashmaliciousBrowse
                                                      DOCX.exeGet hashmaliciousBrowse
                                                        400.xlsxGet hashmaliciousBrowse
                                                          Factura Proforma (C) n 31.exeGet hashmaliciousBrowse
                                                            Factura Proforma (C) n 31.exeGet hashmaliciousBrowse
                                                              MV. PACIFIC ENDEAVOR V2202 PARTICULARS I.docx.exeGet hashmaliciousBrowse
                                                                MV REK KING_VESSEL DETAILS.pdf.exeGet hashmaliciousBrowse
                                                                  M.V.New Journey - Cash advance Breakdown.exeGet hashmaliciousBrowse
                                                                    MV NOVA TBN PARTICULARS.docx.exeGet hashmaliciousBrowse
                                                                      EPDA FOR VESSEL CALLING PULAU LAUT LOADING PALMS 25000MTS_pdf.exeGet hashmaliciousBrowse
                                                                        shipment details - 21.6 MT COUVA 760P #U2013 SO 10169195.pdf.exeGet hashmaliciousBrowse
                                                                          PDA Query - 180397-05-16-22 Port Agency Appointment_pdf.exeGet hashmaliciousBrowse
                                                                            XiZ5oMx0Ji.exeGet hashmaliciousBrowse
                                                                              150.xlsxGet hashmaliciousBrowse
                                                                                VatKdT2W6W.exeGet hashmaliciousBrowse
                                                                                  shipment details - 21.6 MT COUVA 760P #U2013 SO 10169195.pdf.exeGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Trojan.MSIL.AgentTesla.ESQ.MTB.6402.exeGet hashmaliciousBrowse
                                                                                      shipment details - 21.6 MT COUVA 760P #U2013 SO 10169195.pdf.exeGet hashmaliciousBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        us2.smtp.mailhostbox.comDHL - OVERDUE ACCOUNT - 130115482244.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.12288.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.3171.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SecuriteInfo.com.Trojan.PWS.StealerNET.122.28104.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.14190.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.11498.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29
                                                                                        PO#5072.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.19565.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.16
                                                                                        SecuriteInfo.com.Trojan.PackedNET.1352.29751.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        Purchase_order_#133.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        PO-INQUIRY-VALE-SP-2022-60.pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.20179.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.7467.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.30938.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.23081.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        Fattura Proforma (C) n 31.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SecuriteInfo.com.Variant.MSILHeracles.38518.260.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.27311.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.16
                                                                                        DHL STATEMENT OF ACCOUNT - 1003674090.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        SecuriteInfo.com.UDS.Trojan-PSW.MSIL.Agensla.gen.24372.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.16

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        PUBLIC-DOMAIN-REGISTRYUSDHL - OVERDUE ACCOUNT - 130115482244.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        INV00987890.exeGet hashmaliciousBrowse
                                                                                        • 162.215.253.210
                                                                                        6gIL6GLh9RGet hashmaliciousBrowse
                                                                                        • 119.18.52.5
                                                                                        SOA.exeGet hashmaliciousBrowse
                                                                                        • 111.118.215.27
                                                                                        G4tQVT2iUBOkX0S.exeGet hashmaliciousBrowse
                                                                                        • 162.215.253.210
                                                                                        Statement of Account (SOA).exeGet hashmaliciousBrowse
                                                                                        • 162.251.80.27
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.12288.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.3171.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SecuriteInfo.com.Trojan.PWS.StealerNET.122.28104.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.14190.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.11498.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29
                                                                                        PO#5072.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.19565.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.16
                                                                                        SecuriteInfo.com.Trojan.PackedNET.1352.29751.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        http://6nreijjndg03nhn.tuarquetipo.com./#aHR0cHM6Ly93d3cuY3ZlZ2ozajg3LnRvcC8/ZW1haWw9YW1pdGFiaGEucmF5QHNjaHJlaWJlcmZvb2RzLmNvbQ==Get hashmaliciousBrowse
                                                                                        • 208.91.198.109
                                                                                        Purchase_order_#133.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        PO-INQUIRY-VALE-SP-2022-60.pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.46
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.20179.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.38
                                                                                        SCAN Swift 054545676700000000000000001.exeGet hashmaliciousBrowse
                                                                                        • 103.211.219.10
                                                                                        SecuriteInfo.com.W32.AIDetectNet.01.7467.exeGet hashmaliciousBrowse
                                                                                        • 162.222.225.29

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL - OVERDUE ACCOUNT - 1301154822.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1308
                                                                                        Entropy (8bit):5.345811588615766
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.759033728590169
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:DHL - OVERDUE ACCOUNT - 1301154822.exe
                                                                                        File size:749568
                                                                                        MD5:420273f8012dc23eff9195fa55f878d9
                                                                                        SHA1:3927ab6547e261c3f12592210bad348a8a0e0d95
                                                                                        SHA256:da1c892564b950627b9643b9bacb000a6b79f500a75faef4f76c81b974319c83
                                                                                        SHA512:ec95bec3fb8f524d91fe7fc090213ac8b60f0dfdcd5f06002736e8442c403d642765067eafe9a12efdf78b1ce3f5eb86eca99d7d0431bb58c8fcfe49937a3bf9
                                                                                        SSDEEP:12288:5C8F2j9bHoAUzvqVb0eeDr4ctdzV0iyWuQ3k27axxrz7lmpEsqXs6St:w8shbHoSeD0ctJV/ZR3vOxxraqXs6S
                                                                                        TLSH:82F4F104B2F84B22F67A53FE9574518007B6BD596920E34E1CC278DB3A72F528E85F1B
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$/.b..............0......Z.......3... ...@....@.. ....................................@................................

                                                                                        File Icon

                                                                                        Icon Hash:4462f276dcec30e6

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4b338a
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                        Time Stamp:0x62902F24 [Fri May 27 01:53:40 2022 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb33380x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x57c4.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb32000x1c.text
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000xb13900xb1400False0.86633765647data7.75793863969IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xb40000x57c40x5800False0.964621803977data7.89121080689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xba0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_ICON0xb41000x51a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                        RT_GROUP_ICON0xb92b40x14data
                                                                                        RT_VERSION0xb92d80x2ecdata
                                                                                        RT_MANIFEST0xb95d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyright
                                                                                        Assembly Version1.0.0.0
                                                                                        InternalNameActivityTrac.exe
                                                                                        FileVersion1.0.0.0
                                                                                        CompanyName
                                                                                        LegalTrademarks
                                                                                        Comments
                                                                                        ProductName
                                                                                        ProductVersion1.0.0.0
                                                                                        FileDescription
                                                                                        OriginalFilenameActivityTrac.exe

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        May 27, 2022 18:07:09.875937939 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:10.084996939 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:10.085175037 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:10.837214947 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:10.837544918 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:11.046438932 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.046566963 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.046884060 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:11.256035089 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.296288967 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:11.505832911 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.505858898 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.505875111 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.505888939 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.506030083 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:11.506091118 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:11.507992029 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.577621937 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:11.715512037 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:11.761462927 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:11.971519947 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:12.064943075 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:12.274142981 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:12.275145054 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:12.485204935 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:12.485819101 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:12.697855949 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:12.698784113 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:12.910339117 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:12.910876036 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:13.140733004 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:13.150954008 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:13.360922098 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:13.484044075 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:13.561599970 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:13.561758041 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:13.564769030 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:13.564810991 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:07:13.770812988 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:13.774060011 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:13.896991014 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:07:14.077861071 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:08:49.759315968 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:08:49.968873978 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:08:49.969243050 CEST58749760162.222.225.16192.168.2.4
                                                                                        May 27, 2022 18:08:49.969353914 CEST49760587192.168.2.4162.222.225.16
                                                                                        May 27, 2022 18:08:49.972047091 CEST49760587192.168.2.4162.222.225.16

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        May 27, 2022 18:07:09.824208021 CEST6445453192.168.2.48.8.8.8
                                                                                        May 27, 2022 18:07:09.844131947 CEST53644548.8.8.8192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        May 27, 2022 18:07:09.824208021 CEST192.168.2.48.8.8.80x2020Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        May 27, 2022 18:07:09.844131947 CEST8.8.8.8192.168.2.40x2020No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                                                        May 27, 2022 18:07:09.844131947 CEST8.8.8.8192.168.2.40x2020No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                                                        May 27, 2022 18:07:09.844131947 CEST8.8.8.8192.168.2.40x2020No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                                                        May 27, 2022 18:07:09.844131947 CEST8.8.8.8192.168.2.40x2020No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)

                                                                                        SMTP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                        May 27, 2022 18:07:10.837214947 CEST58749760162.222.225.16192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                        May 27, 2022 18:07:10.837544918 CEST49760587192.168.2.4162.222.225.16EHLO 813848
                                                                                        May 27, 2022 18:07:11.046566963 CEST58749760162.222.225.16192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                        250-PIPELINING
                                                                                        250-SIZE 41648128
                                                                                        250-VRFY
                                                                                        250-ETRN
                                                                                        250-STARTTLS
                                                                                        250-AUTH PLAIN LOGIN
                                                                                        250-AUTH=PLAIN LOGIN
                                                                                        250-ENHANCEDSTATUSCODES
                                                                                        250-8BITMIME
                                                                                        250-DSN
                                                                                        250 CHUNKING
                                                                                        May 27, 2022 18:07:11.046884060 CEST49760587192.168.2.4162.222.225.16STARTTLS
                                                                                        May 27, 2022 18:07:11.256035089 CEST58749760162.222.225.16192.168.2.4220 2.0.0 Ready to start TLS

                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:18:06:39
                                                                                        Start date:27/05/2022
                                                                                        Path:C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe"
                                                                                        Imagebase:0x690000
                                                                                        File size:749568 bytes
                                                                                        MD5 hash:420273F8012DC23EFF9195FA55F878D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.288320450.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.293031358.0000000003BAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.293031358.0000000003BAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.296993715.0000000007370000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.288920805.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:18:06:52
                                                                                        Start date:27/05/2022
                                                                                        Path:C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\Desktop\DHL - OVERDUE ACCOUNT - 1301154822.exe
                                                                                        Imagebase:0x8d0000
                                                                                        File size:749568 bytes
                                                                                        MD5 hash:420273F8012DC23EFF9195FA55F878D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.283147306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.283147306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.284135200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.284135200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.283695298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.283695298.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.512729273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.512729273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.278936192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.278936192.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.516989627.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:11.7%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:103
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 15587 110c590 GetCurrentProcess 15588 110c603 15587->15588 15589 110c60a GetCurrentThread 15587->15589 15588->15589 15590 110c640 15589->15590 15591 110c647 GetCurrentProcess 15589->15591 15590->15591 15592 110c67d 15591->15592 15593 110c6a5 GetCurrentThreadId 15592->15593 15594 110c6d6 15593->15594 15595 11040d0 15596 11040e2 15595->15596 15597 11040ee 15596->15597 15601 11041e0 15596->15601 15606 1103894 15597->15606 15599 110410d 15602 1104205 15601->15602 15610 11042d0 15602->15610 15614 11042e0 15602->15614 15607 110389f 15606->15607 15622 11058cc 15607->15622 15609 1107555 15609->15599 15612 1104307 15610->15612 15611 11043e4 15611->15611 15612->15611 15618 1103e94 15612->15618 15615 1104307 15614->15615 15616 11043e4 15615->15616 15617 1103e94 CreateActCtxA 15615->15617 15616->15616 15617->15616 15619 1105370 CreateActCtxA 15618->15619 15621 1105433 15619->15621 15623 11058d7 15622->15623 15626 110722c 15623->15626 15625 11076b5 15625->15609 15627 1107237 15626->15627 15630 110725c 15627->15630 15629 110779a 15629->15625 15631 1107267 15630->15631 15634 110728c 15631->15634 15633 110788a 15633->15629 15635 1107297 15634->15635 15637 1107f9e 15635->15637 15641 5172e20 15635->15641 15644 51725d8 15635->15644 15636 1107fdc 15636->15633 15637->15636 15647 110bebb 15637->15647 15652 110a290 15641->15652 15642 5172e2e 15642->15637 15646 110a290 2 API calls 15644->15646 15645 51725e6 15645->15637 15646->15645 15648 110bee1 15647->15648 15649 110bf05 15648->15649 15672 110c478 15648->15672 15676 110c468 15648->15676 15649->15636 15653 110a2a3 15652->15653 15654 110a2bb 15653->15654 15660 110a518 15653->15660 15664 110a508 15653->15664 15654->15642 15655 110a2b3 15655->15654 15656 110a4b8 GetModuleHandleW 15655->15656 15657 110a4e5 15656->15657 15657->15642 15661 110a52c 15660->15661 15663 110a551 15661->15663 15668 1109f80 15661->15668 15663->15655 15665 110a52c 15664->15665 15666 110a551 15665->15666 15667 1109f80 LoadLibraryExW 15665->15667 15666->15655 15667->15666 15669 110a6f8 LoadLibraryExW 15668->15669 15671 110a771 15669->15671 15671->15663 15674 110c485 15672->15674 15673 110c4bf 15673->15649 15674->15673 15680 110c26c 15674->15680 15678 110c485 15676->15678 15677 110c4bf 15677->15649 15678->15677 15679 110c26c 2 API calls 15678->15679 15679->15677 15681 110c277 15680->15681 15683 110cdb0 15681->15683 15684 110c354 15681->15684 15683->15683 15685 110c35f 15684->15685 15686 110728c 2 API calls 15685->15686 15687 110ce1f 15686->15687 15691 110ebb8 15687->15691 15697 110eba0 15687->15697 15688 110ce58 15688->15683 15693 110ebe9 15691->15693 15694 110ec35 15691->15694 15692 110ebf5 15692->15688 15693->15692 15695 110f038 LoadLibraryExW GetModuleHandleW 15693->15695 15696 110f028 LoadLibraryExW GetModuleHandleW 15693->15696 15694->15688 15695->15694 15696->15694 15699 110ebe9 15697->15699 15700 110ec35 15697->15700 15698 110ebf5 15698->15688 15699->15698 15701 110f038 LoadLibraryExW GetModuleHandleW 15699->15701 15702 110f028 LoadLibraryExW GetModuleHandleW 15699->15702 15700->15688 15701->15700 15702->15700 15703 5171750 15705 5171771 15703->15705 15704 5171789 15705->15704 15708 5172300 15705->15708 15711 5170d6c 15708->15711 15712 5172338 DrawTextExW 15711->15712 15714 517189c 15712->15714 15715 110a198 15717 110a290 2 API calls 15715->15717 15716 110a1a7 15717->15716 15718 110c7b8 DuplicateHandle 15719 110c84e 15718->15719

                                                                                          Executed Functions

                                                                                          Function 0110C580 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0110C5F0
                                                                                          • GetCurrentThread.KERNEL32 ref: 0110C62D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0110C66A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0110C6C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: a75d702b1e90eca0df178eacadde221d5e0e7e26dfbc0bd4f07e791754a6b224
                                                                                          • Instruction ID: ea44e4ecce241a9f323d0f5de8a8ed5913b35add87ca695cfb6cb97ac7f9203a
                                                                                          • Opcode Fuzzy Hash: a75d702b1e90eca0df178eacadde221d5e0e7e26dfbc0bd4f07e791754a6b224
                                                                                          • Instruction Fuzzy Hash: 1B5153B0D002498FDB14CFA9D948BDEBBF0AF48304F208599E409B7391DB75A885CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110C590 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0110C5F0
                                                                                          • GetCurrentThread.KERNEL32 ref: 0110C62D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 0110C66A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0110C6C3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: c67135ac6d5f7173217eb42d2eb22f67217a0f617b1a25718ac5bb896086e702
                                                                                          • Instruction ID: 0781da04bcfcafe9ecb8a0fab3fa2e3d894bb36a97b0eb608fd14e2ebcb2822b
                                                                                          • Opcode Fuzzy Hash: c67135ac6d5f7173217eb42d2eb22f67217a0f617b1a25718ac5bb896086e702
                                                                                          • Instruction Fuzzy Hash: 715123B0E003498FDB14CFA9D94879EBBF1AF48314F248599E419B7390DB75A884CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110A290 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 42 110a290-110a2a5 call 1109f1c 45 110a2a7 42->45 46 110a2bb-110a2bf 42->46 95 110a2ad call 110a518 45->95 96 110a2ad call 110a508 45->96 47 110a2c1 46->47 48 110a2d3-110a314 46->48 50 110a2cb 47->50 53 110a321-110a32f 48->53 54 110a316-110a31e 48->54 49 110a2b3-110a2b5 49->46 52 110a3f0-110a4b0 49->52 50->48 90 110a4b2-110a4b5 52->90 91 110a4b8-110a4e3 GetModuleHandleW 52->91 56 110a331-110a336 53->56 57 110a353-110a355 53->57 54->53 58 110a341 56->58 59 110a338-110a33f call 1109f28 56->59 60 110a358-110a35f 57->60 63 110a343-110a351 58->63 59->63 64 110a361-110a369 60->64 65 110a36c-110a373 60->65 63->60 64->65 66 110a380-110a389 call 1109f38 65->66 67 110a375-110a37d 65->67 72 110a396-110a39b 66->72 73 110a38b-110a393 66->73 67->66 75 110a3b9-110a3c6 72->75 76 110a39d-110a3a4 72->76 73->72 81 110a3c8-110a3e6 75->81 82 110a3e9-110a3ef 75->82 76->75 77 110a3a6-110a3b6 call 1109f48 call 1109f58 76->77 77->75 81->82 90->91 92 110a4e5-110a4eb 91->92 93 110a4ec-110a500 91->93 92->93 95->49 96->49
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0110A4D6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 6733b29435ba86a23e40cf5a9049faa518ed82df854eabe4cd94f7e9b8c5c9a0
                                                                                          • Instruction ID: a94b048aba1e53c4a023fa583e1ffc079a9bd5b307650477304319fdb6612f9d
                                                                                          • Opcode Fuzzy Hash: 6733b29435ba86a23e40cf5a9049faa518ed82df854eabe4cd94f7e9b8c5c9a0
                                                                                          • Instruction Fuzzy Hash: 70712470A04B058FD729DF29D05479ABBF1FF88214F008A2DD58ADBA90DBB5E845CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01105364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 97 1105364-1105431 CreateActCtxA 99 1105433-1105439 97->99 100 110543a-1105494 97->100 99->100 107 11054a3-11054a7 100->107 108 1105496-1105499 100->108 109 11054b8 107->109 110 11054a9-11054b5 107->110 108->107 112 11054b9 109->112 110->109 112->112
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 01105421
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: c02c84a2e024999aa19b1d16fbf656c8ccd97beaca61dbfa7eb7b60b9ba9a732
                                                                                          • Instruction ID: cdda916c7349ec385a7eb2ca4e3413e96c2f1bd5786019938869cf625d9aaa27
                                                                                          • Opcode Fuzzy Hash: c02c84a2e024999aa19b1d16fbf656c8ccd97beaca61dbfa7eb7b60b9ba9a732
                                                                                          • Instruction Fuzzy Hash: 65410270D04658CFDB25CFA9C884BCEBBB2FF48308F218169D419AB251EBB5594ACF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01103E94 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 113 1103e94-1105431 CreateActCtxA 116 1105433-1105439 113->116 117 110543a-1105494 113->117 116->117 124 11054a3-11054a7 117->124 125 1105496-1105499 117->125 126 11054b8 124->126 127 11054a9-11054b5 124->127 125->124 129 11054b9 126->129 127->126 129->129
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 01105421
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: e21b37dc1dd262ef0d9806d71970bd6e7e9456987877ec205c9ef020783d4cee
                                                                                          • Instruction ID: 194ef95a71aad32f959ae68b289f241e046b84ae0b8ef8e2c3ec2c71627bf9dc
                                                                                          • Opcode Fuzzy Hash: e21b37dc1dd262ef0d9806d71970bd6e7e9456987877ec205c9ef020783d4cee
                                                                                          • Instruction Fuzzy Hash: C2410170D0461CCBDB29CFA9C8447CEBBB6FF48308F618069D418AB250EBB56946CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 05170D6C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 130 5170d6c-5172384 132 5172386-517238c 130->132 133 517238f-517239e 130->133 132->133 134 51723a3-51723dc DrawTextExW 133->134 135 51723a0 133->135 136 51723e5-5172402 134->136 137 51723de-51723e4 134->137 135->134 137->136
                                                                                          APIs
                                                                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0517231D,?,?), ref: 051723CF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.295068017.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_5170000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: DrawText
                                                                                          • String ID:
                                                                                          • API String ID: 2175133113-0
                                                                                          • Opcode ID: 38c17e2b44c74f37e4e7c518f11bc197a37a5bc4623e6b98e9ca9313e7aa4b76
                                                                                          • Instruction ID: 4742794bc9203bac7b970919fb4f201e44fbbbd4ed8e45825eb0e8d17414878b
                                                                                          • Opcode Fuzzy Hash: 38c17e2b44c74f37e4e7c518f11bc197a37a5bc4623e6b98e9ca9313e7aa4b76
                                                                                          • Instruction Fuzzy Hash: 2431E0B5D002499FCB10CF9AD884AAEFBF5FF48320F14842AE825A7310D774A945CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110C7B1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 140 110c7b1-110c84c DuplicateHandle 141 110c855-110c872 140->141 142 110c84e-110c854 140->142 142->141
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110C83F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: dee50026146f9c25f5d892ecd316ec9ba4fc8795fa0a88921cdead689e2175d5
                                                                                          • Instruction ID: e20f31717396e2a3ec3bae0ac92ae19c0350be148cd11204bf54f189d62d071f
                                                                                          • Opcode Fuzzy Hash: dee50026146f9c25f5d892ecd316ec9ba4fc8795fa0a88921cdead689e2175d5
                                                                                          • Instruction Fuzzy Hash: EF21D2B5D00248AFDB10CFA9D984AEEBFF4EB48324F14845AE955A3350D378A945CFA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110C7B8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 145 110c7b8-110c84c DuplicateHandle 146 110c855-110c872 145->146 147 110c84e-110c854 145->147 147->146
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110C83F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: e1d6b704c01351d46b180438100fdad736e5a0e2d1fbe282457e7bc4e8104a76
                                                                                          • Instruction ID: 7ebcb1d8c6909ab93fafc0c8630517eae0a9b78605803f51d0675c243871a97f
                                                                                          • Opcode Fuzzy Hash: e1d6b704c01351d46b180438100fdad736e5a0e2d1fbe282457e7bc4e8104a76
                                                                                          • Instruction Fuzzy Hash: 4721B0B5D00248AFDB10CFA9D984ADEFBF8EB48324F14841AE915A3350D378A944CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01109F80 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 150 1109f80-110a738 152 110a740-110a76f LoadLibraryExW 150->152 153 110a73a-110a73d 150->153 154 110a771-110a777 152->154 155 110a778-110a795 152->155 153->152 154->155
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0110A551,00000800,00000000,00000000), ref: 0110A762
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 744cbd516a45c01925236dcf520876d59f876b06686a6f35406dfaa930c73f9c
                                                                                          • Instruction ID: 35d4f15f79444d2ec7073d2d3d0f03d581fb8c31a7819add5ac4811ea858bb8f
                                                                                          • Opcode Fuzzy Hash: 744cbd516a45c01925236dcf520876d59f876b06686a6f35406dfaa930c73f9c
                                                                                          • Instruction Fuzzy Hash: 071103B6D003499FDB14CF9AD844A9EFBF4EF88324F04842AD516B7240C7B9A945CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110A6F1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 158 110a6f1-110a738 159 110a740-110a76f LoadLibraryExW 158->159 160 110a73a-110a73d 158->160 161 110a771-110a777 159->161 162 110a778-110a795 159->162 160->159 161->162
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0110A551,00000800,00000000,00000000), ref: 0110A762
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 22456304d6f4612d18dab6102fab46638ec010ab6c582205e5113dedc122ef07
                                                                                          • Instruction ID: e9e667f24edf34d0122ddddbda35251db6c66830f8a3c44a755880dbf9983932
                                                                                          • Opcode Fuzzy Hash: 22456304d6f4612d18dab6102fab46638ec010ab6c582205e5113dedc122ef07
                                                                                          • Instruction Fuzzy Hash: E11106B6D003499FDB14CFA9D444ADEFBF5EF48324F14842AD555A7200C3799545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110A470 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 165 110a470-110a4b0 166 110a4b2-110a4b5 165->166 167 110a4b8-110a4e3 GetModuleHandleW 165->167 166->167 168 110a4e5-110a4eb 167->168 169 110a4ec-110a500 167->169 168->169
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0110A4D6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 41a960e84255671f59a4f4d97523ae53905d8dfbf8a50e9abd2512ca5f90882a
                                                                                          • Instruction ID: 717c158c64ba8676856d8e43f33ee573c85242cb361070f276c5f3eae802f2d9
                                                                                          • Opcode Fuzzy Hash: 41a960e84255671f59a4f4d97523ae53905d8dfbf8a50e9abd2512ca5f90882a
                                                                                          • Instruction Fuzzy Hash: E511F0B5D003498BDB14CF9AD448A9EFBF4AF88224F15841AD419B7200C378A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0100D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286463310.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_100d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 971b1ba2b4ee7a018cfdbce8eab4339ebf3742dd40533b0dcb8c0ed76d71aa86
                                                                                          • Instruction ID: 5b21d46c50aea11945c3da00f587881576d826c3a5d483d51078894d238d0a19
                                                                                          • Opcode Fuzzy Hash: 971b1ba2b4ee7a018cfdbce8eab4339ebf3742dd40533b0dcb8c0ed76d71aa86
                                                                                          • Instruction Fuzzy Hash: E42106B1504240DFEB12DF94D8C0B2ABFA5FB88318F2485A9ED455B286C736D445C7B1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0100D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286463310.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_100d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ce9f45ebc7399ccf8031874ffbfa71d13c666c87f2e45a8d6482939f77f66107
                                                                                          • Instruction ID: 5f690de742b3227b7c3b02d9b3fb34ad083b0cfc984baa00f1b1dda0ed10377c
                                                                                          • Opcode Fuzzy Hash: ce9f45ebc7399ccf8031874ffbfa71d13c666c87f2e45a8d6482939f77f66107
                                                                                          • Instruction Fuzzy Hash: 0D2148B1504244DFEB02CF94D8C0B6ABFA5FB84324F25C5A9E9454B286C736E846C7B2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0101D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286482256.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_101d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c8ce04f2087923f76994e0f47597054cb3a50e0998a347ab31c888bef502650c
                                                                                          • Instruction ID: a786d615530043fd2c5630405913a4f2e03f58e6c18e64eb72c9a3b20de71578
                                                                                          • Opcode Fuzzy Hash: c8ce04f2087923f76994e0f47597054cb3a50e0998a347ab31c888bef502650c
                                                                                          • Instruction Fuzzy Hash: 98216E71504240EFDB01CF94D9C4B69BBA5FB84324F24C6ADE9494F24AC33ED806CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0101D01C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286482256.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_101d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd01962b63967ea03f46f666ec901045e8f9202988ae3a82f510bf555875ccbe
                                                                                          • Instruction ID: d12d032827fc8d03f7d13003a9f11580ce5fda5dfbf606a56d7a5fe6dfc6792c
                                                                                          • Opcode Fuzzy Hash: fd01962b63967ea03f46f666ec901045e8f9202988ae3a82f510bf555875ccbe
                                                                                          • Instruction Fuzzy Hash: 7B212875504240DFCB16CF54D8C8B1ABBA5FB84354F24C5ADE9494B24AC33AD846C761
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0100D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286463310.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_100d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                                                          • Instruction ID: be3a440b6c23fc0aee670ffb107260878eb397818340d5da678861fcd1641444
                                                                                          • Opcode Fuzzy Hash: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                                                          • Instruction Fuzzy Hash: 9911E172404280DFDB12CF44D9C0B56BFB1FB84324F24C2A9D8490B657C33AE45ACBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0100D4BF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286463310.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_100d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                                                          • Instruction ID: 57918426ae138a3d0f45448343884c8d41b79caab093cb4c7fa68dab79a78ac6
                                                                                          • Opcode Fuzzy Hash: 8760001a56973c006fccc1098cf6934b5270701d3d0f935ddaf206bc60356589
                                                                                          • Instruction Fuzzy Hash: 8811AF76504280DFDB12CF54D9C4B16BFB1FB88324F24C6A9DC450B656C336D45ACBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0101D017 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286482256.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_101d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23ef000f9f01c3cbc7819e7b34e3410c25c35ace3d447a5c883323dd61256c7a
                                                                                          • Instruction ID: 5004f07db82205f3cf36f07cacb98b078b0e4458a1b507f6c1f7ac43b42d85cc
                                                                                          • Opcode Fuzzy Hash: 23ef000f9f01c3cbc7819e7b34e3410c25c35ace3d447a5c883323dd61256c7a
                                                                                          • Instruction Fuzzy Hash: 7C119075504280DFDB12CF54D5C4B15FFA1FB44314F24C6AAE8494B65AC33BD44ACBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0101D1CF Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286482256.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_101d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23ef000f9f01c3cbc7819e7b34e3410c25c35ace3d447a5c883323dd61256c7a
                                                                                          • Instruction ID: d9bc5799c2aa1dc0e540f2c006640f5a6c4d6a40043e1ed44075ca338b3ad962
                                                                                          • Opcode Fuzzy Hash: 23ef000f9f01c3cbc7819e7b34e3410c25c35ace3d447a5c883323dd61256c7a
                                                                                          • Instruction Fuzzy Hash: 3E11BB75904280DFCB52CF54D5C4B55BBA1FB84224F28C6A9D8894B65AC33AD44ACB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0100D745 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286463310.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_100d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 36887ce90892f74098df7030ec172267ccdcf581157ef7659c6f0fa217fbe4d2
                                                                                          • Instruction ID: bda5df9ea1be559f5efd91d0815921567dae8d4890c3a2da1c896e263aa6f5ad
                                                                                          • Opcode Fuzzy Hash: 36887ce90892f74098df7030ec172267ccdcf581157ef7659c6f0fa217fbe4d2
                                                                                          • Instruction Fuzzy Hash: F601FC714083C49AF7124E99CCC476EFBD8FF41278F04C55AEA585A287E7799444CBB1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0100D744 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.286463310.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_100d000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8d73bbc478182d96ac2f9368370114d057cf441fdcf8ecf7815c14d9e0860b25
                                                                                          • Instruction ID: 1cc6a1a426b3b5870dca57bc78f9bdb4ca32027e171d709b842330ab8ca9836a
                                                                                          • Opcode Fuzzy Hash: 8d73bbc478182d96ac2f9368370114d057cf441fdcf8ecf7815c14d9e0860b25
                                                                                          • Instruction Fuzzy Hash: 53F0AF714042849AE7118E59C8C8B66FBD8EB81274F18C05AED484A287D3799844CBB1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Function 00694714 Relevance: 1.4, Instructions: 1432COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.285714974.0000000000692000.00000002.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
                                                                                          • Associated: 00000000.00000002.285709263.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_690000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 28937a8a8873e4ddfa7a44d31ac19b6cd38f9736b4c1d368cd7a2790b545a6a0
                                                                                          • Instruction ID: 02117169b29d5f8956f9881c7bd6c4e5ec33b089935de3fc48fc45e7f87e8800
                                                                                          • Opcode Fuzzy Hash: 28937a8a8873e4ddfa7a44d31ac19b6cd38f9736b4c1d368cd7a2790b545a6a0
                                                                                          • Instruction Fuzzy Hash: 75C2F6A240E3C28FCB134B785CB55917FB2AE6321872E05CBC4C0CF5A7E619595BDB62
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110D65C Relevance: .3, Instructions: 265COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d0a7fa421c9207d01f8eb3fe1ddda8f25e18110084d2f4c401a2c65f8a87b889
                                                                                          • Instruction ID: 282567ff109519330071ebdd84a0b22b4d185f71492ab0624474fb4efd5265e1
                                                                                          • Opcode Fuzzy Hash: d0a7fa421c9207d01f8eb3fe1ddda8f25e18110084d2f4c401a2c65f8a87b889
                                                                                          • Instruction Fuzzy Hash: 54A1BF36E0060A8FCF1ADFB5C8445DDBBB2FF84304B15856AE905BB2A1EB70E915CB40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110F080 Relevance: .2, Instructions: 240COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 14a27dc7e8ecd619ed040ac84c895c6c8da6853e5a51017e504ea56f58637264
                                                                                          • Instruction ID: cae3870d0c2b00d143efcd8ce1f2448ab942208b8641aa5ef379810967108acb
                                                                                          • Opcode Fuzzy Hash: 14a27dc7e8ecd619ed040ac84c895c6c8da6853e5a51017e504ea56f58637264
                                                                                          • Instruction Fuzzy Hash: 18D10AB1501746ABD7B8CF64E8CA1D93BA3F745328B904328D1716B6D8D7B411EACF84
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0110F071 Relevance: .1, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.287141211.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_1100000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 16741b31dad8cd141cba029a4cc976df0dd6621056c07d7da94982336b56450c
                                                                                          • Instruction ID: 3aaf7b25b7bcb47d992c31d53d770a6a2ac20f28fb0aad5f0a345cd4f1c90b64
                                                                                          • Opcode Fuzzy Hash: 16741b31dad8cd141cba029a4cc976df0dd6621056c07d7da94982336b56450c
                                                                                          • Instruction Fuzzy Hash: EF617F719117459BCB68DF74E8801DE77B2FF86324B618325D0317B2D8EB7424AACB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Execution Graph

                                                                                          Execution Coverage:11.2%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:134
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 33396 65254f0 33397 65254f1 33396->33397 33402 652277c 33397->33402 33403 6522787 33402->33403 33404 65227b4 GetModuleHandleW 33403->33404 33405 6525522 33404->33405 33406 652278c 33405->33406 33407 6522797 33406->33407 33408 6526639 33407->33408 33411 6526629 33407->33411 33422 65261f4 33408->33422 33410 6526637 33414 6526750 33411->33414 33418 6526760 33411->33418 33416 6526754 33414->33416 33415 6526800 33415->33410 33426 6526818 33416->33426 33420 6526761 33418->33420 33419 6526800 33419->33410 33421 6526818 CallWindowProcW 33420->33421 33421->33419 33423 65261ff 33422->33423 33424 6527afa CallWindowProcW 33423->33424 33425 6527aa9 33423->33425 33424->33425 33425->33410 33427 6526829 33426->33427 33429 6527992 33426->33429 33427->33415 33433 6527997 33429->33433 33430 65261f4 CallWindowProcW 33431 6527a4a 33430->33431 33431->33427 33432 65279eb 33432->33427 33433->33430 33433->33432 33384 104b0d0 33385 104b0ee 33384->33385 33388 1049e18 33385->33388 33387 104b125 33390 104cff8 LoadLibraryA 33388->33390 33391 104d0d4 33390->33391 33434 1044560 33435 1044574 33434->33435 33438 10447aa 33435->33438 33436 104457d 33443 10447b3 33438->33443 33444 1044880 33438->33444 33449 10449a6 33438->33449 33454 104498c 33438->33454 33459 1044890 33438->33459 33443->33436 33445 1044890 33444->33445 33446 10449cb 33445->33446 33464 1044c88 33445->33464 33469 1044c98 33445->33469 33450 10449b9 33449->33450 33451 10449cb 33449->33451 33452 1044c88 2 API calls 33450->33452 33453 1044c98 2 API calls 33450->33453 33452->33451 33453->33451 33455 104493f 33454->33455 33455->33454 33456 10449cb 33455->33456 33457 1044c88 2 API calls 33455->33457 33458 1044c98 2 API calls 33455->33458 33457->33456 33458->33456 33460 10448d4 33459->33460 33461 10449cb 33460->33461 33462 1044c88 2 API calls 33460->33462 33463 1044c98 2 API calls 33460->33463 33462->33461 33463->33461 33465 1044c98 33464->33465 33474 1044cd8 33465->33474 33478 1044ce8 33465->33478 33466 1044cb6 33466->33446 33470 1044ca6 33469->33470 33472 1044cd8 RtlEncodePointer 33470->33472 33473 1044ce8 RtlEncodePointer 33470->33473 33471 1044cb6 33471->33446 33472->33471 33473->33471 33475 1044ce8 33474->33475 33476 1044d75 33475->33476 33477 1044d4c RtlEncodePointer 33475->33477 33476->33466 33477->33476 33479 1044d22 33478->33479 33480 1044d4c RtlEncodePointer 33479->33480 33481 1044d75 33479->33481 33480->33481 33481->33466 33482 617f470 33483 617f471 33482->33483 33484 617f6be 33483->33484 33487 6529693 33483->33487 33491 65296a0 33483->33491 33489 65296a0 33487->33489 33488 65296d1 33488->33484 33489->33488 33495 6528b9c 33489->33495 33492 65296a5 33491->33492 33493 6528b9c OleInitialize 33492->33493 33494 65296d1 33492->33494 33493->33494 33494->33484 33496 6528ba7 33495->33496 33498 65299eb 33496->33498 33499 6528bb8 33496->33499 33498->33488 33500 6529a20 OleInitialize 33499->33500 33501 6529a84 33500->33501 33501->33498 33502 617d5b0 33505 617d5b1 33502->33505 33503 617d74f 33504 617dd34 LdrInitializeThunk 33504->33505 33505->33503 33505->33504 33506 617b7f0 33507 617b7f1 33506->33507 33508 617b843 LdrInitializeThunk 33507->33508 33509 617b860 33508->33509 33356 652561b 33357 6525620 33356->33357 33360 65227b4 33357->33360 33359 6525627 33361 65227bf 33360->33361 33366 65226b4 33361->33366 33365 65256bb 33367 65226bf 33366->33367 33368 65249b3 33367->33368 33374 6524bb0 33367->33374 33368->33365 33370 65225e4 33368->33370 33371 6523480 GetModuleHandleW 33370->33371 33373 65234f5 33371->33373 33373->33365 33375 6524bc5 33374->33375 33376 65225e4 GetModuleHandleW 33375->33376 33378 6524be9 33375->33378 33376->33378 33377 6524da5 33377->33368 33378->33377 33379 65225e4 GetModuleHandleW 33378->33379 33380 6524d2b 33379->33380 33380->33377 33381 65225e4 GetModuleHandleW 33380->33381 33382 6524d79 33381->33382 33382->33377 33383 65225e4 GetModuleHandleW 33382->33383 33383->33377 33392 617bec8 33393 617bee7 LdrInitializeThunk 33392->33393 33395 617bf1b 33393->33395 33510 617cbe8 33511 617cbe9 33510->33511 33516 617be28 33511->33516 33513 617cc40 33514 617be28 LdrInitializeThunk 33513->33514 33515 617cc6d 33513->33515 33514->33515 33517 617be39 33516->33517 33519 617be5c 33516->33519 33517->33513 33518 617be89 33518->33513 33519->33518 33520 617beff LdrInitializeThunk 33519->33520 33521 617bf1b 33520->33521 33521->33513

                                                                                          Executed Functions

                                                                                          Function 0617D5B0 Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 617d5b0-617d5f0 208 617d5f3 call 617e138 0->208 209 617d5f3 call 617e148 0->209 5 617d5f9-617d6b6 call 1043200 19 617d70d-617d717 5->19 20 617d6b8-617d6f9 5->20 23 617d71d-617d74d call 61759b4 call 61744f8 19->23 20->19 26 617d6fb-617d70b 20->26 32 617d74f-617d758 23->32 33 617d75d-617db0a 23->33 26->23 34 617e128-617e135 32->34 72 617e0f5-617e118 33->72 73 617db10-617db1d 33->73 75 617e11d-617e127 72->75 74 617db23-617db8e 73->74 73->75 74->72 86 617db94-617dbc9 74->86 75->34 89 617dbf2-617dbfa 86->89 90 617dbcb-617dbf0 86->90 93 617dbfd-617dc46 call 61759c0 89->93 90->93 99 617e0dc-617e0e2 93->99 100 617dc4c-617dca4 call 61759cc 93->100 99->72 101 617e0e4-617e0ed 99->101 100->99 108 617dcaa-617dcb4 100->108 101->74 102 617e0f3 101->102 102->75 108->99 109 617dcba-617dccd 108->109 109->99 110 617dcd3-617dcfa 109->110 114 617dd00-617dd03 110->114 115 617e09d-617e0c0 110->115 114->115 116 617dd09-617dd43 LdrInitializeThunk 114->116 123 617e0c5-617e0cb 115->123 126 617dd49-617dd98 116->126 123->72 125 617e0cd-617e0d6 123->125 125->99 125->110 134 617dd9e-617ddd7 126->134 135 617dedd-617dee3 126->135 139 617def9-617deff 134->139 151 617dddd-617de13 134->151 136 617dee5-617dee7 135->136 137 617def1 135->137 136->137 137->139 140 617df01-617df03 139->140 141 617df0d-617df10 139->141 140->141 143 617df1b-617df21 141->143 145 617df23-617df25 143->145 146 617df2f-617df32 143->146 145->146 148 617de81-617deb1 call 61759d8 146->148 154 617deb3-617ded2 148->154 158 617df37-617df65 call 61759e4 151->158 159 617de19-617de3c 151->159 161 617df6a-617dfbc 154->161 162 617ded8 154->162 158->154 159->158 169 617de42-617de75 159->169 182 617dfc6-617dfcc 161->182 183 617dfbe-617dfc4 161->183 162->123 169->143 181 617de7b 169->181 181->148 185 617dfce-617dfd0 182->185 186 617dfda 182->186 184 617dfdd-617dffb 183->184 190 617e01f-617e09b 184->190 191 617dffd-617e00d 184->191 185->186 186->184 190->123 191->190 194 617e00f-617e018 191->194 194->190 208->5 209->5
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.518685694.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6170000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: a0f93717107a51551acef01bd6e861371c36fc2482d81d946c84627f336cfaf3
                                                                                          • Instruction ID: 773d189273374c63bea62b2b40626e90b32434099e1d637284161c4a4e600b7b
                                                                                          • Opcode Fuzzy Hash: a0f93717107a51551acef01bd6e861371c36fc2482d81d946c84627f336cfaf3
                                                                                          • Instruction Fuzzy Hash: 00620971E006198FCB64EF78C89569DB7F1AF89304F1085A9D54AAB354EF30AE85CF81
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0617BEC8 Relevance: 1.7, APIs: 1, Instructions: 185libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 395 617bec8-617bf14 LdrInitializeThunk 399 617bf1b-617bf27 395->399 400 617c145-617c158 399->400 401 617bf2d-617bf36 399->401 404 617c17f-617c183 400->404 402 617bf3c-617bf51 401->402 403 617c17a 401->403 408 617bf53-617bf66 402->408 409 617bf6b-617bf86 402->409 403->404 405 617c185 404->405 406 617c18e-617c1fb 404->406 405->406 411 617c119-617c11d 408->411 423 617bf94 409->423 424 617bf88-617bf92 409->424 412 617c11f 411->412 413 617c128-617c131 411->413 412->413 419 617c175 413->419 420 617c133-617c13f 413->420 419->403 420->400 420->401 425 617bf99-617bf9b 423->425 424->425 426 617bfb5-617c050 425->426 427 617bf9d-617bfb0 425->427 445 617c052-617c05c 426->445 446 617c05e 426->446 427->411 447 617c063-617c065 445->447 446->447 448 617c067-617c069 447->448 449 617c0c3-617c117 447->449 450 617c077 448->450 451 617c06b-617c075 448->451 449->411 453 617c07c-617c07e 450->453 451->453 453->449 454 617c080-617c0c1 453->454 454->449
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.518685694.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6170000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: b2dea40db8bdbc303ffd0f145eeb220ee5c221e8fa8900e78e1075b3d19f40eb
                                                                                          • Instruction ID: 3a3074289ea5fb81e7f39ba2d82dfd612fda185cae335deb326665ee90079294
                                                                                          • Opcode Fuzzy Hash: b2dea40db8bdbc303ffd0f145eeb220ee5c221e8fa8900e78e1075b3d19f40eb
                                                                                          • Instruction Fuzzy Hash: 39714D75E00209CFDB64EFB4D5996AEBBF6AF84345F108828D002E7264DF79E941CB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06522FE8 Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 210 6522fe8-6523013 211 65231d6-652320a 210->211 212 6523019-6523023 210->212 233 6523211 211->233 234 652320c-6523210 211->234 213 6523025-652302c 212->213 214 652302d-652304f call 652034c 212->214 221 6523051-6523057 214->221 222 652305a-652305f 214->222 221->222 223 6523065-6523089 call 652034c 222->223 314 6523062 call 6523250 222->314 315 6523062 call 6523240 222->315 229 65230e3-65230e8 223->229 230 652308b-652309f call 65225c4 223->230 231 65230ea-65230f1 229->231 232 65230fb-6523105 229->232 241 65230a1-65230a5 230->241 242 65230b9 230->242 231->232 236 65230f3 231->236 312 6523108 call 6524540 232->312 313 6523108 call 6524530 232->313 237 6523213-6523239 233->237 238 652328b-652329a 233->238 234->233 236->232 243 65232a1-65232b5 call 65225e4 238->243 244 652329c-65232a0 238->244 240 652310a-6523145 call 65225d4 call 652034c 240->211 241->242 247 65230a7-65230ab 241->247 245 65230bb-65230bd 242->245 256 65232b7 243->256 257 65232cb-65232cf 243->257 244->243 245->229 251 65230bf-65230c6 245->251 247->242 250 65230ad-65230b7 247->250 250->245 254 65230d1-65230d8 251->254 255 65230c8-65230ce 251->255 254->229 258 65230da-65230e0 254->258 255->254 316 65232bd call 652351b 256->316 317 65232bd call 6523528 256->317 259 65232e3-6523324 257->259 260 65232d1-65232db 257->260 258->229 267 6523331-652333f 259->267 268 6523326-652332e 259->268 260->259 262 65232c3-65232c5 262->257 264 6523400-652347a 262->264 305 6523481-65234c0 264->305 306 652347c-652347f 264->306 271 6523363-6523365 267->271 272 6523341-6523346 267->272 268->267 274 6523368-652336f 271->274 275 6523351 272->275 276 6523348-652334f call 65225f0 272->276 278 6523371-6523379 274->278 279 652337c-6523383 274->279 277 6523353-6523361 275->277 276->277 277->274 278->279 282 6523390-6523399 279->282 283 6523385-652338d 279->283 287 65233a6-65233ab 282->287 288 652339b-65233a3 282->288 283->282 290 65233c9-65233d6 287->290 291 65233ad-65233b4 287->291 288->287 297 65233d8-65233f6 290->297 298 65233f9-65233ff 290->298 291->290 293 65233b6-65233c6 call 6520504 call 6522600 291->293 293->290 297->298 307 65234c2-65234c5 305->307 308 65234c8-65234f3 GetModuleHandleW 305->308 306->305 307->308 309 65234f5-65234fb 308->309 310 65234fc-6523510 308->310 309->310 312->240 313->240 314->223 315->223 316->262 317->262
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: be9b36351eb4f3f00cef95a523894c757c89a635ec8a1b04084ad8beeffffc16
                                                                                          • Instruction ID: afe5ca03c08e364e55a1e6d4f9dd807e6a9537a73e38ef61a5054e8d0884d4f0
                                                                                          • Opcode Fuzzy Hash: be9b36351eb4f3f00cef95a523894c757c89a635ec8a1b04084ad8beeffffc16
                                                                                          • Instruction Fuzzy Hash: B7D18770A007168FDBA4CF69C44479ABBF1BF8A304F00896AD44ADB790DB39E945CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0617B741 Relevance: 1.7, APIs: 1, Instructions: 211libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 318 617b741-617b742 319 617b744-617b748 318->319 320 617b749 318->320 319->320 321 617b751-617b75f 320->321 322 617b74c-617b750 320->322 323 617b784-617b792 321->323 324 617b761-617b76b 321->324 322->321 328 617b794-617b798 323->328 329 617b799-617b79a 323->329 325 617b780-617b783 324->325 326 617b76d-617b77e 324->326 326->325 328->329 331 617b7a1-617b7af 329->331 332 617b79c-617b79f 329->332 333 617b7d4-617b7e2 331->333 334 617b7b1-617b7bb 331->334 332->331 339 617b7e4-617b7e6 333->339 340 617b7e9-617b7ea 333->340 335 617b7d0-617b7d3 334->335 336 617b7bd-617b7ce 334->336 336->335 343 617b7ed-617b7f0 339->343 344 617b7e8 339->344 341 617b7f1-617b827 call 6175be8 call 6175d00 340->341 342 617b7ec 340->342 352 617b82f-617b835 341->352 342->343 343->341 344->340 353 617b83c 352->353 354 617b843-617b85a LdrInitializeThunk 353->354 355 617b9a3-617b9c0 354->355 356 617b860-617b87a 354->356 367 617b9c5-617b9ce 355->367 356->355 359 617b880-617b89a 356->359 363 617b8a0 359->363 364 617b89c-617b89e 359->364 365 617b8a3-617b8fe call 61758cc 363->365 364->365 375 617b904 365->375 376 617b900-617b902 365->376 377 617b907-617b9a1 call 61758cc 375->377 376->377 377->367
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.518685694.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6170000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 4cd46c70529eee93701d88855a55093e318bf19cf022c548641ee6a9b78557a7
                                                                                          • Instruction ID: 7281bab9ebf43d9f122e1d39ce23509b35b6bf2efcfd743afba480fd026bf83d
                                                                                          • Opcode Fuzzy Hash: 4cd46c70529eee93701d88855a55093e318bf19cf022c548641ee6a9b78557a7
                                                                                          • Instruction Fuzzy Hash: C971F570A082459FCB50EF74C854AAEBBF6AF89304F14857AE511DB796EF30E8058B91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0617B7F0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 465 617b7f0-617b85a call 6175be8 call 6175d00 LdrInitializeThunk 476 617b9a3-617b9c0 465->476 477 617b860-617b87a 465->477 488 617b9c5-617b9ce 476->488 477->476 480 617b880-617b89a 477->480 484 617b8a0 480->484 485 617b89c-617b89e 480->485 486 617b8a3-617b8fe call 61758cc 484->486 485->486 496 617b904 486->496 497 617b900-617b902 486->497 498 617b907-617b9a1 call 61758cc 496->498 497->498 498->488
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.518685694.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6170000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 4b2b1955bc4bb693204a63ea445852480628404362dcdccdbcf787c474bf017a
                                                                                          • Instruction ID: df7505de47a7f524cb1c962dba1aec2b25dd0f06785d6e8089414ab012662837
                                                                                          • Opcode Fuzzy Hash: 4b2b1955bc4bb693204a63ea445852480628404362dcdccdbcf787c474bf017a
                                                                                          • Instruction Fuzzy Hash: 0151A271A142059FCB54EFB4C895AEEB7B6BF84344F148929E512DB395EF30E904CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06522764 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 516 6522764-652539e 518 65253a0-65253a6 516->518 519 65253a9-65253b0 516->519 518->519 520 65253b2-65253b8 519->520 521 65253bb-652545a CreateWindowExW 519->521 520->521 523 6525463-652549b 521->523 524 652545c-6525462 521->524 528 65254a8 523->528 529 652549d-65254a0 523->529 524->523 530 65254a9 528->530 529->528 530->530
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0652544A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: 906665ee50f156b7e8406725a7ce698ffffc88eeccaabef15c84a7818951c9e2
                                                                                          • Instruction ID: f5c82d17ec245a0eb01079aac52a7d66b891d3a3f538b9b08d232921e359018a
                                                                                          • Opcode Fuzzy Hash: 906665ee50f156b7e8406725a7ce698ffffc88eeccaabef15c84a7818951c9e2
                                                                                          • Instruction Fuzzy Hash: BD51BFB1D003199FDB14CF99C884ADEFBB5BF48314F24852AE419AB250E7749845CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0617BE28 Relevance: 1.6, APIs: 1, Instructions: 110libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 531 617be28-617be37 532 617be5c-617be70 531->532 533 617be39-617be43 531->533 538 617bea4-617bea6 532->538 539 617be72 532->539 534 617be45-617be56 533->534 535 617be58-617be5b 533->535 534->535 540 617bea8-617beab 538->540 541 617be74-617be75 539->541 542 617be79-617be87 539->542 541->542 543 617beac-617bf14 LdrInitializeThunk 542->543 544 617be89-617be93 542->544 551 617bf1b-617bf27 543->551 544->540 545 617be95-617be9c 544->545 545->538 552 617c145-617c158 551->552 553 617bf2d-617bf36 551->553 556 617c17f-617c183 552->556 554 617bf3c-617bf51 553->554 555 617c17a 553->555 560 617bf53-617bf66 554->560 561 617bf6b-617bf86 554->561 555->556 557 617c185 556->557 558 617c18e-617c1fb 556->558 557->558 563 617c119-617c11d 560->563 575 617bf94 561->575 576 617bf88-617bf92 561->576 564 617c11f 563->564 565 617c128-617c131 563->565 564->565 571 617c175 565->571 572 617c133-617c13f 565->572 571->555 572->552 572->553 577 617bf99-617bf9b 575->577 576->577 578 617bfb5-617c050 577->578 579 617bf9d-617bfb0 577->579 597 617c052-617c05c 578->597 598 617c05e 578->598 579->563 599 617c063-617c065 597->599 598->599 600 617c067-617c069 599->600 601 617c0c3-617c117 599->601 602 617c077 600->602 603 617c06b-617c075 600->603 601->563 605 617c07c-617c07e 602->605 603->605 605->601 606 617c080-617c0c1 605->606 606->601
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.518685694.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6170000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 64a57318944ffdcf017c3c7fddb6986e56f93f028e7e7c0f8bdcc643ce111cd4
                                                                                          • Instruction ID: 0360a91e98c0f151970607ac37c223232da555430121917db7e2fd73b76dbc5f
                                                                                          • Opcode Fuzzy Hash: 64a57318944ffdcf017c3c7fddb6986e56f93f028e7e7c0f8bdcc643ce111cd4
                                                                                          • Instruction Fuzzy Hash: AE41C230A08389CFD714DBB9D8597AABBB1AF85304F1484B5D504DB3A1DB39DC42CB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 065261F4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 617 65261f4-6527a9c 620 6527aa2-6527aa7 617->620 621 6527b4c-6527b6c call 652278c 617->621 623 6527afa-6527b32 CallWindowProcW 620->623 624 6527aa9-6527ae0 620->624 629 6527b6f-6527b7c 621->629 625 6527b34-6527b3a 623->625 626 6527b3b-6527b4a 623->626 630 6527ae2-6527ae8 624->630 631 6527ae9-6527af8 624->631 625->626 626->629 630->631 631->629
                                                                                          APIs
                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 06527B21
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallProcWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2714655100-0
                                                                                          • Opcode ID: 00592d63b7e2c7dc644952a0dc93a0e0125d0f9024000f92ba1b308dec08dd23
                                                                                          • Instruction ID: 80fc90aa21e198a5ead26363205094ea918c4e8e0ce954fb1e8c60b54ea2ca3f
                                                                                          • Opcode Fuzzy Hash: 00592d63b7e2c7dc644952a0dc93a0e0125d0f9024000f92ba1b308dec08dd23
                                                                                          • Instruction Fuzzy Hash: 874169B4A0021A9FCB54CF99C488AAABBF5FF8D314F148459E519A7361D730A945CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0104CFEC Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 634 104cfec-104d04f 635 104d051-104d05b 634->635 636 104d088-104d0d2 LoadLibraryA 634->636 635->636 637 104d05d-104d05f 635->637 641 104d0d4-104d0da 636->641 642 104d0db-104d10c 636->642 639 104d061-104d06b 637->639 640 104d082-104d085 637->640 643 104d06d 639->643 644 104d06f-104d07e 639->644 640->636 641->642 648 104d11c 642->648 649 104d10e-104d112 642->649 643->644 644->644 646 104d080 644->646 646->640 651 104d11d 648->651 649->648 650 104d114 649->650 650->648 651->651
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNELBASE(?), ref: 0104D0C2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.516265996.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_1040000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 7a32050544a9d94e720ec4fd9ef89c84c8e61bb1db0be6b42e721339b54f8899
                                                                                          • Instruction ID: 078d142165ba446cbaef22f96d9702e919759637b9f8797207b259af031b9ba7
                                                                                          • Opcode Fuzzy Hash: 7a32050544a9d94e720ec4fd9ef89c84c8e61bb1db0be6b42e721339b54f8899
                                                                                          • Instruction Fuzzy Hash: 2E3143B0D002899FDB14CFA8C88579EFFF1BB18354F14852EE855AB281D7759486CF92
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01049E18 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 652 1049e18-104d04f 654 104d051-104d05b 652->654 655 104d088-104d0d2 LoadLibraryA 652->655 654->655 656 104d05d-104d05f 654->656 660 104d0d4-104d0da 655->660 661 104d0db-104d10c 655->661 658 104d061-104d06b 656->658 659 104d082-104d085 656->659 662 104d06d 658->662 663 104d06f-104d07e 658->663 659->655 660->661 667 104d11c 661->667 668 104d10e-104d112 661->668 662->663 663->663 665 104d080 663->665 665->659 670 104d11d 667->670 668->667 669 104d114 668->669 669->667 670->670
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNELBASE(?), ref: 0104D0C2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.516265996.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_1040000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 400d71647437aa72100b887c721caaddc83f721f6af911334894d92bbf24535f
                                                                                          • Instruction ID: 9231c227777e9e433d844a85027fd877d84964de495169820fd1c02dcac34c00
                                                                                          • Opcode Fuzzy Hash: 400d71647437aa72100b887c721caaddc83f721f6af911334894d92bbf24535f
                                                                                          • Instruction Fuzzy Hash: 003142B0D002499FDB24DFA8C8857DEBBF1FB18354F14852AE855AB280DB749486CF96
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01044CD8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1290 1044cd8-1044d2a 1294 1044d30 1290->1294 1295 1044d2c-1044d2e 1290->1295 1296 1044d35-1044d40 1294->1296 1295->1296 1297 1044da1-1044dae 1296->1297 1298 1044d42-1044d73 RtlEncodePointer 1296->1298 1300 1044d75-1044d7b 1298->1300 1301 1044d7c-1044d9c 1298->1301 1300->1301 1301->1297
                                                                                          APIs
                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 01044D62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.516265996.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_1040000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: EncodePointer
                                                                                          • String ID:
                                                                                          • API String ID: 2118026453-0
                                                                                          • Opcode ID: d80e188ad003806b54cbf3fa18571eec70d18c671a0b76e92393287175f0ba22
                                                                                          • Instruction ID: 2fdadaa2c36aa66d3829a24c557fae5b05405a22f0d4ddec88816cac60c51925
                                                                                          • Opcode Fuzzy Hash: d80e188ad003806b54cbf3fa18571eec70d18c671a0b76e92393287175f0ba22
                                                                                          • Instruction Fuzzy Hash: 292189B09107098FDB60DFA8D9897DEBBF4FB49324F18846AD445E3605C7386504CFA6
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 065236E0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1303 65236e0-65236e2 1304 65236e4-65236e7 1303->1304 1305 65236e9-6523728 1303->1305 1304->1305 1306 6523730-652375f LoadLibraryExW 1305->1306 1307 652372a-652372d 1305->1307 1308 6523761-6523767 1306->1308 1309 6523768-6523785 1306->1309 1307->1306 1308->1309
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06523561,00000800,00000000,00000000), ref: 06523752
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 044f3fe67f9480fde77946718c8670da6dacea58adfc8ae158ebe0d25a964b87
                                                                                          • Instruction ID: 2717b11a82da4d97dd12f4e69decfd8d7bc602cd4879d35fbc6335ef28264451
                                                                                          • Opcode Fuzzy Hash: 044f3fe67f9480fde77946718c8670da6dacea58adfc8ae158ebe0d25a964b87
                                                                                          • Instruction Fuzzy Hash: FC1122B6D002499FCB14CF9AC584ADEFBF4BB89324F14842AD429B7300C379A549CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06522628 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1312 6522628-6523728 1315 6523730-652375f LoadLibraryExW 1312->1315 1316 652372a-652372d 1312->1316 1317 6523761-6523767 1315->1317 1318 6523768-6523785 1315->1318 1316->1315 1317->1318
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06523561,00000800,00000000,00000000), ref: 06523752
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: e4b5d64fa28eb21862d90cfc5944e426e3919e25ca064a6d92e99d316fa3e4d8
                                                                                          • Instruction ID: 8a57c6e9a3a5aa421d7b9bf2cb438f224bfb7f10cf8ed11b2cbb20871c5d26a8
                                                                                          • Opcode Fuzzy Hash: e4b5d64fa28eb21862d90cfc5944e426e3919e25ca064a6d92e99d316fa3e4d8
                                                                                          • Instruction Fuzzy Hash: CC1103B6D002499FCB10CF9AC488A9EFBF4EB89324F04842AE415B7240C379A549CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01044CE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1321 1044ce8-1044d2a 1324 1044d30 1321->1324 1325 1044d2c-1044d2e 1321->1325 1326 1044d35-1044d40 1324->1326 1325->1326 1327 1044da1-1044dae 1326->1327 1328 1044d42-1044d73 RtlEncodePointer 1326->1328 1330 1044d75-1044d7b 1328->1330 1331 1044d7c-1044d9c 1328->1331 1330->1331 1331->1327
                                                                                          APIs
                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 01044D62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.516265996.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_1040000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: EncodePointer
                                                                                          • String ID:
                                                                                          • API String ID: 2118026453-0
                                                                                          • Opcode ID: bc3ca0fd512c62b4fffa42f0547fefd263113a8dd7ed4d3d3d06fdc8cfd26ef4
                                                                                          • Instruction ID: 58fd7ff014bc4f4bc67d420569fe50e6f018957de3b47e2327ede028298950b1
                                                                                          • Opcode Fuzzy Hash: bc3ca0fd512c62b4fffa42f0547fefd263113a8dd7ed4d3d3d06fdc8cfd26ef4
                                                                                          • Instruction Fuzzy Hash: BA1197B09007098FDB60DFA8D9487DEBBF4FB48324F14842AD485A3605CB386544CFA6
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 065225E4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1333 65225e4-65234c0 1336 65234c2-65234c5 1333->1336 1337 65234c8-65234f3 GetModuleHandleW 1333->1337 1336->1337 1338 65234f5-65234fb 1337->1338 1339 65234fc-6523510 1337->1339 1338->1339
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 065234E6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: f84932e4a1e9d5ef576e37017891706971faa88920b16f83bc36efe39958d242
                                                                                          • Instruction ID: ce892aa645d14f1727a23002fa8bced2286a4707eb6afe492bce3f19b12522e8
                                                                                          • Opcode Fuzzy Hash: f84932e4a1e9d5ef576e37017891706971faa88920b16f83bc36efe39958d242
                                                                                          • Instruction Fuzzy Hash: C71134B5C003499FCB10CF9AC448BDEFBF4EB49224F04855AD459B7200D379A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06528BB8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 06529A75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: aa4d289ffa07dd25641fe92c263ac8852acd29c98a0bcce63cb8c9ac60d4de0d
                                                                                          • Instruction ID: c29e1702dbb99770ab2b99ae9b3a16b096af629199e26790016792fe20bc7cff
                                                                                          • Opcode Fuzzy Hash: aa4d289ffa07dd25641fe92c263ac8852acd29c98a0bcce63cb8c9ac60d4de0d
                                                                                          • Instruction Fuzzy Hash: 4B112EB4D043498FCB20CF9AC488BDEFBF4EB88224F14841AE519A3300D378A944CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 06529A1B Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 06529A75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.519659702.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_6520000_DHL - OVERDUE ACCOUNT - 1301154822.jbxd
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: 25eb67d063a332584c3fa1e362a1376733c62ff80cee2c90e5b52c581af066ec
                                                                                          • Instruction ID: c27d982d7e3f20fb7ace38dc8e14506a93b75d8eac9200ea102c136866ec9aaa
                                                                                          • Opcode Fuzzy Hash: 25eb67d063a332584c3fa1e362a1376733c62ff80cee2c90e5b52c581af066ec
                                                                                          • Instruction Fuzzy Hash: D911FEB59002498FCB10CF9AD848BDEFBF4AB48224F148419D519A3700D778A944CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%