Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Dhl.exe

Overview

General Information

Sample Name:Dhl.exe
Analysis ID:778242
MD5:6a2bcefb53b034548874a53d22982949
SHA1:63793181c397deb869c4f91841389ac21dc36b0c
SHA256:5e395b61e0ed45f930033b90cec01953a40b565751e727801ced6528aeb322f1
Tags:exe
Infos:

Detection

DarkTortilla
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkTortilla Crypter
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Dhl.exe (PID: 4460 cmdline: C:\Users\user\Desktop\Dhl.exe MD5: 6A2BCEFB53B034548874A53D22982949)
    • cmd.exe (PID: 4424 cmdline: cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 676 cmdline: ping 127.0.0.1 -n 43 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 2396 cmdline: ping 127.0.0.1 -n 43 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000000.00000002.422138372.000000000439E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000000.00000002.419766240.0000000003573000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        00000000.00000002.417679179.000000000336E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          00000000.00000002.422650649.0000000004486000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Machine Learning detection for sample
            Source: Dhl.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Adobe.exeJoe Sandbox ML: detected
            Source: Dhl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.250.184.36:443 -> 192.168.2.5:49702 version: TLS 1.2
            Source: Dhl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Close
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Dhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Dhl.exe, 00000000.00000003.308007193.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: Dhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com1
            Source: Dhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306865263.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comK
            Source: Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comW
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-u
            Source: Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comy
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
            Source: Dhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Dhl.exe, 00000000.00000003.312935379.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
            Source: Dhl.exe, 00000000.00000003.309987554.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Dhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312268786.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: Dhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlH
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311215416.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Dhl.exe, 00000000.00000003.310095952.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Dhl.exe, 00000000.00000003.310692246.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
            Source: Dhl.exe, 00000000.00000003.320097030.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
            Source: Dhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerserso
            Source: Dhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerso
            Source: Dhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
            Source: Dhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310343508.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF/
            Source: Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314121536.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314373858.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comM
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312218165.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312281638.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomF
            Source: Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdTTF
            Source: Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331678024.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332826630.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332437472.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.334445936.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.415069105.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come
            Source: Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311873693.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed_
            Source: Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
            Source: Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitud
            Source: Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitum
            Source: Dhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comnc.F
            Source: Dhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtalik
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: Dhl.exe, 00000000.00000003.305686099.0000000006E34000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305386586.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305516963.0000000006E3D000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305266367.0000000006E69000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305240761.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Dhl.exe, 00000000.00000003.305033442.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/H;
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
            Source: Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
            Source: Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
            Source: Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
            Source: Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com//
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Dhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Dhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308469112.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lic
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Dhl.exe, 00000000.00000003.317270717.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317561165.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316536438.0000000006E70000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317018687.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316610467.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317719741.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316754232.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317456787.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316467807.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317190635.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316919935.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317636189.0000000006E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308059633.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308040298.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: Dhl.exe, 00000000.00000003.307235075.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307127047.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comR
            Source: Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comslnt
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: Dhl.exe, 00000000.00000003.309694747.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Dhl.exe, 00000000.00000003.313532650.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313382330.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313619459.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deeg_ia
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.Q
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnoth
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cntyp6
            Source: Dhl.exe, 00000000.00000002.417121586.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.417185610.00000000032D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/other
            Source: Dhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Close
            Source: unknownHTTPS traffic detected: 142.250.184.36:443 -> 192.168.2.5:49702 version: TLS 1.2

            System Summary

            barindex
            .NET source code contains very large array initializations
            Source: Dhl.exe, r6M/z2P.csLarge array initialization: k7ADe: array initializer size 186880
            Source: Dhl.exe, Nd8/c1K.csLarge array initialization: .cctor: array initializer size 2038
            Source: 0.0.Dhl.exe.ba0000.0.unpack, r6M/z2P.csLarge array initialization: k7ADe: array initializer size 186880
            Source: 0.0.Dhl.exe.ba0000.0.unpack, Nd8/c1K.csLarge array initialization: .cctor: array initializer size 2038
            Source: Adobe.exe.1.dr, r6M/z2P.csLarge array initialization: k7ADe: array initializer size 186880
            Source: Adobe.exe.1.dr, Nd8/c1K.csLarge array initialization: .cctor: array initializer size 2038
            Source: Dhl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_0175E8600_2_0175E860
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_01756E180_2_01756E18
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_01757A400_2_01757A40
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03116ED80_2_03116ED8
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03116EC80_2_03116EC8
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03114D3C0_2_03114D3C
            Source: Dhl.exe, 00000000.00000002.423975925.0000000006940000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArgenTINA.dll$ vs Dhl.exe
            Source: Dhl.exe, 00000000.00000002.421528120.0000000004291000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArgenTINA.dll$ vs Dhl.exe
            Source: Dhl.exe, 00000000.00000000.292773300.0000000000C46000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameData Encoder.exeJ vs Dhl.exe
            Source: Dhl.exeBinary or memory string: OriginalFilenameData Encoder.exeJ vs Dhl.exe
            Source: Dhl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Dhl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Dhl.exe C:\Users\user\Desktop\Dhl.exe
            Source: C:\Users\user\Desktop\Dhl.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Users\user\Desktop\Dhl.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43 Jump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
            Source: Adobe.lnk.0.drLNK file: ..\..\..\..\..\Adobe.exe
            Source: C:\Users\user\Desktop\Dhl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnkJump to behavior
            Source: classification engineClassification label: mal72.troj.evad.winEXE@8/6@1/2
            Source: C:\Users\user\Desktop\Dhl.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: Dhl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\Dhl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
            Source: C:\Users\user\Desktop\Dhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Dhl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Dhl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected DarkTortilla Crypter
            Source: Yara matchFile source: 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.422138372.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.419766240.0000000003573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.417679179.000000000336E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.422650649.0000000004486000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Dhl.exe PID: 4460, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_0175C702 push 8B000005h; retf 0_2_0175C707
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_0175CD9C push ebp; retf 0_2_0175CDF9
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03111A10 push E005DB04h; iretd 0_2_03111C6D
            Source: initial sampleStatic PE information: section name: .text entropy: 7.078604827515667
            Source: initial sampleStatic PE information: section name: .text entropy: 7.078604827515667
            Source: Dhl.exe, r6M/z2P.csHigh entropy of concatenated method names: '.ctor', 'So7', 'x0Y', 'i5D8Z', 'b2NFy', 'Ta09Q', 'Rc7a8', 'y0BKe', 't7LCm', 'Et46B'
            Source: 0.0.Dhl.exe.ba0000.0.unpack, r6M/z2P.csHigh entropy of concatenated method names: '.ctor', 'So7', 'x0Y', 'i5D8Z', 'b2NFy', 'Ta09Q', 'Rc7a8', 'y0BKe', 't7LCm', 'Et46B'
            Source: Adobe.exe.1.dr, r6M/z2P.csHigh entropy of concatenated method names: '.ctor', 'So7', 'x0Y', 'i5D8Z', 'b2NFy', 'Ta09Q', 'Rc7a8', 'y0BKe', 't7LCm', 'Et46B'
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Adobe.exeJump to dropped file
            Source: C:\Users\user\Desktop\Dhl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnkJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\Dhl.exeFile opened: C:\Users\user\Desktop\Dhl.exe\:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Uses ping.exe to sleep
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43 Jump to behavior
            Source: C:\Users\user\Desktop\Dhl.exe TID: 4588Thread sleep time: -23980767295822402s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exe TID: 4588Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\PING.EXE TID: 1428Thread sleep count: 41 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\PING.EXE TID: 1428Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Users\user\Desktop\Dhl.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeWindow / User API: threadDelayed 9821Jump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeThread delayed: delay time: 30000Jump to behavior
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTrayH
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTrayHp
            Source: C:\Users\user\Desktop\Dhl.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43 Jump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Users\user\Desktop\Dhl.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium11
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer3
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Hidden Files and Directories            		LSA Secrets11
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common2
            Obfuscated Files or Information            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Software Packing            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
            System Information Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Dhl.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Adobe.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.comessed0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.fontbureau.comgrito0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
            http://www.carterandcone.comW0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn00%URL Reputationsafe
            http://www.fontbureau.comdTTF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
            http://www.carterandcone.comy0%URL Reputationsafe
            http://www.fontbureau.comcomF0%URL Reputationsafe
            http://www.founder.com.cn/cn80%URL Reputationsafe
            http://www.fontbureau.comals0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
            http://www.fontbureau.comitud0%URL Reputationsafe
            http://www.carterandcone.comn-u0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/F0%URL Reputationsafe
            https://csp.withgoogle.com/csp/report-to/gws/other0%URL Reputationsafe
            http://www.carterandcone.com10%URL Reputationsafe
            http://www.founder.com.cn/cn/H;0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/90%URL Reputationsafe
            http://www.founder.com.cn/cnD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.founder.com.cn/cnh0%URL Reputationsafe
            http://www.carterandcone.comK0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.tiro.comslnt0%URL Reputationsafe
            http://www.fontbureau.comM0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.coma0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.come0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.zhongyicts.com.cno.0%URL Reputationsafe
            http://www.zhongyicts.com.cntyp60%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmo0%Avira URL Cloudsafe
            http://www.fontbureau.comitum0%Avira URL Cloudsafe
            http://www.fontbureau.comessed_0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cno.Q0%Avira URL Cloudsafe
            http://www.fontbureau.comnc.F0%Avira URL Cloudsafe
            http://www.urwpp.deeg_ia0%Avira URL Cloudsafe
            http://www.fontbureau.comF/0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cnoth0%Avira URL Cloudsafe
            http://www.galapagosdesign.com//0%Avira URL Cloudsafe
            http://www.fontbureau.comtalik0%Avira URL Cloudsafe
            http://www.tiro.comR0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/lic0%Avira URL Cloudsafe
            http://www.galapagosdesign.com//0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.google.com
            		142.250.184.36
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://www.google.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.founder.com.cn/cn/H;Dhl.exe, 00000000.00000003.305033442.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comessed_Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designersDhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comessedDhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311873693.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/9Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.comDhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/cTheDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/8Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersersDhl.exe, 00000000.00000003.320097030.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp//Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308469112.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.galapagosdesign.com/DPleaseDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/Y0Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comgritoDhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.ascendercorp.com/typedesigners.htmlDhl.exe, 00000000.00000003.308007193.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnDhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.galapagosdesign.com/Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/WDhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cntyp6Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.comWDhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comitumDhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/PDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/FDhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cno.QDhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmoDhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.come.comDhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn0Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311215416.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comdTTFDhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/tDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0/Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comyDhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comcomFDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312218165.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312281638.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn8Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/pDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.fontbureau.comalsDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/cDhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersersoDhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comitudDhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersHDhl.exe, 00000000.00000003.310692246.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.carterandcone.comn-uDhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/?Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/FDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersCDhl.exe, 00000000.00000003.310095952.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://csp.withgoogle.com/csp/report-to/gws/otherDhl.exe, 00000000.00000002.417121586.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.417185610.00000000032D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.com1Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comnc.FDhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.goodfont.co.krDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comDhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/9Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnDDhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmDhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDhl.exe, 00000000.00000003.309694747.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comF/Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sakkal.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308059633.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308040298.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designersoDhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnhDhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designerstDhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.comKDhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306865263.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.apache.org/licenses/LICENSE-2.0Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.urwpp.deeg_iaDhl.exe, 00000000.00000003.313532650.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313382330.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313619459.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.fontbureau.comFDhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310343508.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cnothDhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tiro.comslntDhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comMDhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314121536.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314373858.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comaDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comdDhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com//Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnDhl.exe, 00000000.00000003.305686099.0000000006E34000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305386586.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305516963.0000000006E3D000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305266367.0000000006E69000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305240761.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers-Dhl.exe, 00000000.00000003.312935379.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comeDhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331678024.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332826630.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332437472.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.334445936.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.415069105.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlDhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312268786.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comtalikDhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.monotype.Dhl.exe, 00000000.00000003.317270717.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317561165.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316536438.0000000006E70000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317018687.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316610467.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317719741.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316754232.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317456787.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316467807.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317190635.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316919935.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317636189.0000000006E6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.tiro.comRDhl.exe, 00000000.00000003.307235075.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307127047.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cno.Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/Dhl.exe, 00000000.00000003.309987554.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/licDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlHDhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                142.250.184.36
                                                                		www.google.comUnited States
                                                                		15169GOOGLEUSfalse

                                                                Private

                                                                IP
                                                                127.0.0.1

                                                                General Information

                                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                Analysis ID:778242
                                                                Start date and time:2023-01-05 09:21:16 +01:00
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 7m 27s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Sample file name:Dhl.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:8
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal72.troj.evad.winEXE@8/6@1/2
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HDC Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 99%
                                                                • Number of executed functions: 53
                                                                • Number of non-executed functions: 3
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                09:22:32API Interceptor208x Sleep call for process: Dhl.exe modified
                                                                09:22:36AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnk

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASNs

                                                                No context

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0eContracts0001.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                Copy_Company-profile.vbeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                3228QkgALx.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                wNe6jmIL7c.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                Dhl.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                4DDFE866BEAB3C6023F5A5C7E01D061016BC940DE5137.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                university of kentucky indirect cost rate agreement 5564.jsGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                INV20230104-BR.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                https://project3-3b599.web.app/Get hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                Ys6s3AZ2qW.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                7X5WCb8HDW.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                eclattttt.jsGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                file.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                eclattttt.jsGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                file.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                SecuriteInfo.com.Win32.RansomX-gen.1482.3911.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                SecuriteInfo.com.Win32.Trojan-gen.5667.19000.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                ltroubvle_sib.msiGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                RZxpPKvkpjbNPWT.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36
                                                                L2 Shield.exeGet hashmaliciousBrowse
                                                                • 142.250.184.36

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dhl.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Dhl.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1216
                                                                Entropy (8bit):5.355304211458859
                                                                Encrypted:false
                                                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHY
                                                                MD5:45A1687CECD48F6A4A90071C96E50E41
                                                                SHA1:DF49ED05380F17EB14F2B87F051676E8B681E7E2
                                                                SHA-256:05DABE990DCB3015952FAA3AE9AD3E43F70FF3BDB2E17E3B7A183CBDCDAF7C49
                                                                SHA-512:1E0683F03744B715EC699179412C4E1BF44ED1D98F4ACE22366FB860773C8FF6A02D809BCAA1170BDD712B94A3FFBB9990ED0E9BD494E4622E37D3A5CDED332B
                                                                Malicious:true
                                                                Reputation:moderate, very likely benign file
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                C:\Users\user\AppData\Roaming\Adobe.exe

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):842752
                                                                Entropy (8bit):6.816319529583852
                                                                Encrypted:false
                                                                SSDEEP:12288:Kr1ttVPPvGYLHicNzGE1H6E1H6E1H6E1HsE1HQ8chPkwDQOuNbJ3XVkHvxJz1f2u:KrbvG8C7uH6uH6uH6uHsuHSkwi0c
                                                                MD5:6A2BCEFB53B034548874A53D22982949
                                                                SHA1:63793181C397DEB869C4F91841389AC21DC36B0C
                                                                SHA-256:5E395B61E0ED45F930033B90CEC01953A40B565751E727801CED6528AEB322F1
                                                                SHA-512:7A8BE43BB7F1F371BB20EEF895CE403402D11823C1014212D6A44674D6E9819EEC2B7FE1252068FA45F651B2652B8F97C2307ABF90BC70D2DE67EACD5E4856F2
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                Reputation:low
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.1.............................K... ...`....@.. .......................@............`..................................K..W....`...................... ....................................................... ............... ..H............text....,... ...................... ..`.rsrc.......`.......0..............@..@.reloc....... ......................@..B.................K......H............8......;.......r............................................V@.~n....................vG..../._.2.n.g".....f.B.9..|.#.j...........T<.x..Q...L..`.8|""...<k".(..&..aU>."i.6.~...}6y.. .n.gO. V.D...x l".......LD...w!..ei.........,.6\.W...k..a....Q..0ur....WAY.x.?-n....kv.5m.+.<.I.dcz.kiUp...-...:..?@.64...O..;...".5...r&..^}3..N.9'.5=mN......{R.v..15.......#.....7\..d=..../.Z6J..l:.......X..d..(...QW%.b....].....=c...U.O..8..A.T&.l&..=.X.7.$..h{z.

                                                                C:\Users\user\AppData\Roaming\Adobe.exe:Zone.Identifier

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnk

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Dhl.exe
                                                                File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                Category:dropped
                                                                Size (bytes):888
                                                                Entropy (8bit):3.0964643635058136
                                                                Encrypted:false
                                                                SSDEEP:12:8wl0hsXU1e/tz0/CSLiN79NMJYgCNfBf4t2Y+xIBjK:8yvWLnSpj7aB
                                                                MD5:C3EA211B60112431AFF49E82AF924298
                                                                SHA1:3F1C845CFEF7B8426E93C23D6895FA5C1222483C
                                                                SHA-256:53FB069F843AEC8118F8C792383467D95913B1B5233A4AFAF19BD799D04545E6
                                                                SHA-512:C5CE3E5E6C9F7F048332E26A0B8C0EE56AD6EFA013EDF2CF1198D2F81A08A0DDD220B9E59AAB4AAA00BEC196DCF7DB6D75FEA228045BB7658699E6D691BAB14E
                                                                Malicious:false
                                                                Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.2...........Adobe.exe.D............................................A.d.o.b.e...e.x.e.............\.....\.....\.....\.....\.A.d.o.b.e...e.x.e.).C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.A.d.o.b.e...e.x.e.............}.............>.e.L.:..er.=}...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

                                                                \Device\Null

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\PING.EXE
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1269
                                                                Entropy (8bit):4.6333041134432005
                                                                Encrypted:false
                                                                SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTO:/4
                                                                MD5:547F93F8C190FF60B69925BE7F19A99C
                                                                SHA1:7154358994ABEC65BBB6037CBEB6A7AAB778EE24
                                                                SHA-256:AEA40E2666479E251DC673126D613711534506D13FDC738297A706D517455459
                                                                SHA-512:77DABD91F9711F3F54CEEF03843D075F3907E9B84102A2884DC3DBA5B6870A984E4C7126E007D06FEAF3F893039F3C8A9C0E94D3592A0E6E56566C49295862C4
                                                                Malicious:false
                                                                Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.816319529583852
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:Dhl.exe
                                                                File size:842752
                                                                MD5:6a2bcefb53b034548874a53d22982949
                                                                SHA1:63793181c397deb869c4f91841389ac21dc36b0c
                                                                SHA256:5e395b61e0ed45f930033b90cec01953a40b565751e727801ced6528aeb322f1
                                                                SHA512:7a8be43bb7f1f371bb20eef895ce403402d11823c1014212d6a44674d6e9819eec2b7fe1252068fa45f651b2652b8f97c2307abf90bc70d2de67eacd5e4856f2
                                                                SSDEEP:12288:Kr1ttVPPvGYLHicNzGE1H6E1H6E1H6E1HsE1HQ8chPkwDQOuNbJ3XVkHvxJz1f2u:KrbvG8C7uH6uH6uH6uHsuHSkwi0c
                                                                TLSH:6805BE971663BFD9C0718678E261CCE423B17E3900D08BEE69E41395D6E3A5B7A3384D
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.1.............................K... ...`....@.. .......................@............`................................

                                                                File Icon

                                                                Icon Hash:e0c6b2321282c4e0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4a4bfe
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x31DA6D85 [Wed Jul 3 12:54:29 1996 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa4ba40x57.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x2a9ea.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000xa2c040xa2e00False0.6488527076937836data7.078604827515667IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xa60000x2a9ea0x2aa00False0.23383660190615835data4.835402900266054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xd20000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0xa64c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640
                                                                RT_ICON0xa67a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192
                                                                RT_ICON0xa68d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688
                                                                RT_ICON0xa77780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152
                                                                RT_ICON0xa80200x568Device independent bitmap graphic, 16 x 32 x 8, image size 320
                                                                RT_ICON0xa85880x3e48PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                RT_ICON0xac3d00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
                                                                RT_ICON0xb05f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
                                                                RT_ICON0xb2ba00x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720
                                                                RT_ICON0xb46080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                                RT_ICON0xb56b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
                                                                RT_ICON0xb60380x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680
                                                                RT_ICON0xb66f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                                RT_ICON0xb6b580x12c0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                RT_ICON0xb7e180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536
                                                                RT_ICON0xc86400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384
                                                                RT_ICON0xcc8680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                                RT_ICON0xcee100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                                RT_ICON0xcfeb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024
                                                                RT_GROUP_ICON0xd03200x5adata
                                                                RT_GROUP_ICON0xd037c0xbcdata
                                                                RT_VERSION0xd04380x3c8data
                                                                RT_MANIFEST0xd08000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 5, 2023 09:22:11.438339949 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.438410044 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.438503027 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.550308943 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.550349951 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.628907919 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.629101992 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.634354115 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.634371996 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.634776115 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.684264898 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.961411953 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.961477995 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.144965887 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145093918 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145360947 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145509005 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145661116 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145744085 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145793915 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145845890 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145859957 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145872116 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145929098 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.147181034 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.147284031 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.147311926 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.147341013 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.147402048 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.148653030 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.148753881 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.150139093 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.150233030 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.150253057 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.150278091 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.150336981 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.165596962 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.165704966 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.165745020 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166094065 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166120052 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.166141987 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166203976 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.166261911 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166337013 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.167538881 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.168091059 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.168157101 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.168178082 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169663906 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169740915 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.169761896 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169785976 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169841051 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.171137094 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.172681093 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.172761917 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.172784090 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.174181938 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.174283028 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.174309015 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.175443888 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.175530910 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.175559998 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.176819086 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.176887035 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.176904917 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178112030 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178200960 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178217888 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.178241968 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178330898 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.179430962 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.180751085 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.180836916 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.180855036 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.182064056 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.182131052 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.182147980 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.186530113 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.186606884 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.186630011 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.186986923 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.187066078 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:13.315306902 CET49702443192.168.2.5142.250.184.36

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 5, 2023 09:22:11.376574993 CET6064953192.168.2.58.8.8.8
                                                                Jan 5, 2023 09:22:11.396013021 CET53606498.8.8.8192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 5, 2023 09:22:11.376574993 CET192.168.2.58.8.8.80xcadcStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 5, 2023 09:22:11.396013021 CET8.8.8.8192.168.2.50xcadcNo error (0)www.google.com142.250.184.36A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.google.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.549702142.250.184.36443C:\Users\user\Desktop\Dhl.exe
                                                                TimestampkBytes transferredDirectionData
                                                                2023-01-05 08:22:11 UTC0OUTGET / HTTP/1.1
                                                                Host: www.google.com
                                                                Connection: Close
                                                                2023-01-05 08:22:12 UTC0INHTTP/1.1 200 OK
                                                                Date: Thu, 05 Jan 2023 08:22:12 GMT
                                                                Expires: -1
                                                                Cache-Control: private, max-age=0
                                                                Content-Type: text/html; charset=ISO-8859-1
                                                                Cross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups; report-to="gws"
                                                                Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
                                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                Server: gws
                                                                X-XSS-Protection: 0
                                                                X-Frame-Options: SAMEORIGIN
                                                                Set-Cookie: SOCS=CAAaBgiAptidBg; expires=Sun, 04-Feb-2024 08:22:12 GMT; path=/; domain=.google.com; Secure; SameSite=lax
                                                                Set-Cookie: AEC=AakniGMjFDHJ0MTVCLF6M4ZSU0uy4YqaAdo04n-cMyhy21ZIOkmLzeQSzEY; expires=Tue, 04-Jul-2023 08:22:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                Set-Cookie: __Secure-ENID=9.SE=GATpw8OLjkjYCucc-hezyDA0c9MQ9JJcOU7TJj1krA6kVU3CPgPpKXHm4F_KpWy1dK0IIEYPjF2oUh4HsWKwzozYQV4wBfqyxDnm2eikYoUPeRYQZIUJvYDejLY7PCcnUIT1tV6e1y1NU4ogcEX7hXhiUrA95rW_kmtxgOP5S0E; expires=Mon, 05-Feb-2024 00:40:30 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                Set-Cookie: CONSENT=PENDING+842; expires=Sat, 04-Jan-2025 08:22:11 GMT; path=/; domain=.google.com; Secure
                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                Accept-Ranges: none
                                                                Vary: Accept-Encoding
                                                                Connection: close
                                                                Transfer-Encoding: chunked
                                                                2023-01-05 08:22:12 UTC1INData Raw: 34 64 37 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 64 65 2d 43 48 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65
                                                                Data Ascii: 4d71<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="de-CH"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image
                                                                2023-01-05 08:22:12 UTC2INData Raw: 31 37 31 2c 33 38 2c 32 2c 33 35 38 2c 31 37 2c 31 38 32 2c 37 36 34 2c 33 33 2c 39 32 30 2c 35 36 2c 33 30 37 2c 37 36 35 2c 35 39 33 2c 32 35 32 2c 33 39 31 2c 39 31 37 2c 36 37 30 2c 35 32 37 35 31 37 34 2c 31 33 34 2c 39 35 2c 31 33 39 2c 38 37 39 38 39 31 30 2c 33 33 31 31 2c 31 34 31 2c 37 39 35 2c 31 39 37 33 35 2c 31 2c 31 2c 33 34 36 2c 32 33 39 35 30 34 38 34 2c 34 30 34 32 31 34 33 2c 31 39 36 34 2c 35 34 31 35 2c 31 31 32 35 37 2c 33 31 30 32 2c 33 30 34 2c 35 35 39 35 2c 31 31 2c 33 38 33 35 2c 36 38 39 37 2c 32 39 39 2c 31 34 30 34 35 31 38 2c 37 35 31 35 39 27 2c 6b 42 4c 3a 27 44 6c 34 62 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 64 65 2d 43 48 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74
                                                                Data Ascii: 171,38,2,358,17,182,764,33,920,56,307,765,593,252,391,917,670,5275174,134,95,139,8798910,3311,141,795,19735,1,1,346,23950484,4042143,1964,5415,11257,3102,304,5595,11,3835,6897,299,1404518,75159',kBL:'Dl4b'};google.sn='webhp';google.kHL='de-CH';})();(funct
                                                                2023-01-05 08:22:12 UTC4INData Raw: 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d
                                                                Data Ascii: push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-
                                                                2023-01-05 08:22:12 UTC5INData Raw: 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 2d 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30
                                                                Data Ascii: city:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0
                                                                2023-01-05 08:22:12 UTC7INData Raw: 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 7d 2e 67 62 7a 74 2c 2e 67 62 67 74 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 73 70 61 6e 23 67 62 67 36 2c 73 70 61 6e 23 67 62 67 34 7b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 7d 2e 67 62 74 73 7b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 64 69 73 70 6c
                                                                Data Ascii: 2px 4px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbzt,.gbgt{cursor:pointer;display:block;text-decoration:none !important}span#gbg6,span#gbg4{cursor:default}.gbts{border-left:1px solid transparent;border-right:1px solid transparent;displ
                                                                2023-01-05 08:22:12 UTC8INData Raw: 6f 20 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 35 70 78 20 31 70 78 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 31 70 78 7d 23 67 62 69 34 69 2c 23 67 62 69 34 69 64 7b 6c 65 66 74 3a 35 70 78 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 32 34 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 77 69 64 74 68 3a 32 34 70 78 7d 2e 67 62 74 6f 20 23 67 62 69 34 69 2c 2e 67 62 74 6f 20 23 67 62 69 34 69 64 7b 74 6f 70 3a 33 70 78 7d 2e 67 62 69 34 70 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 32 34 70 78 7d 23 67 62 69 34 69 64 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 34 34 70 78 20 2d 31 30 31 70 78 7d 23 67 62 6d 70 69 64
                                                                Data Ascii: o .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position:-44px -101px}#gbmpid
                                                                2023-01-05 08:22:12 UTC10INData Raw: 74 65 64 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 67 62 6d 6c 62 2d 68 76 72 2c 2e 67 62 6d 6c 62 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 6c 62 77 7b 63 6f 6c 6f 72 3a 23 63 63 63 3b 6d 61 72 67 69 6e 3a 30 20 31 30 70 78 7d 2e 67 62 6d 74 7b 70 61 64 64 69 6e 67 3a 30 20 32 30 70 78 7d 2e 67 62 6d 74 3a 68 6f 76 65 72 2c 2e 67 62 6d 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 6f 75 74 6c 69 6e 65 3a 30 20 73 6f 6c 69 64 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61
                                                                Data Ascii: ted{line-height:27px}.gbmlb-hvr,.gbmlb:focus{outline:none;text-decoration:underline !important}.gbmlbw{color:#ccc;margin:0 10px}.gbmt{padding:0 20px}.gbmt:hover,.gbmt:focus{background:#eee;cursor:pointer;outline:0 solid black;text-decoration:none !importa
                                                                2023-01-05 08:22:12 UTC11INData Raw: 7d 2e 67 62 70 30 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 67 62 70 30 20 2e 67 62 70 73 32 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 23 67 62 64 34 20 2e 67 62 6d 63 63 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 7d 2e 67 62 70 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 65 66 39 64 62 7d 2e 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c 61 70 73 65 3b 62 6f 72 64 65 72 2d 73 70 61 63 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 72 6d 61 6c 7d 23 67 62 70 6d 20 2e 67 62 70 6d 74 63 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 6e 6f 6e 65 3b 63 6f
                                                                Data Ascii: }.gbp0{display:none}.gbp0 .gbps2{font-weight:bold}#gbd4 .gbmcc{margin-top:5px}.gbpmc{background:#fef9db}.gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;*border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;co
                                                                2023-01-05 08:22:12 UTC12INData Raw: 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 61 2d 68 76 72 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 62 2d 68 76 72 3a 66 6f 63 75 73 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 23 66 66 66 2c 30
                                                                Data Ascii: 0 0 0 1px rgba(255, 255, 255, 0.5);-webkit-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);outline:none}.gbqfb-hvr:focus,.gbqfba-hvr:focus,.gbqfbb-hvr:focus{-webkit-box-shadow:inset 0 0 0 1px #fff,0
                                                                2023-01-05 08:22:12 UTC14INData Raw: 68 76 72 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 66 35 62 62 37 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 2d 68 76 72 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 35 37 61 65 38 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 34 64 39 30 66 65 29 2c 74 6f 28 23 33 35 37 61 65 38 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f
                                                                Data Ascii: hvr:focus{border-color:#2f5bb7}.gbqfb-hvr,.gbqfb-hvr:focus{background-color:#357ae8;background-image:-webkit-gradient(linear,left top,left bottom,from(#4d90fe),to(#357ae8));background-image:-webkit-linear-gradient(top,#4d90fe,#357ae8);background-image:-mo
                                                                2023-01-05 08:22:12 UTC15INData Raw: 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d
                                                                Data Ascii: adient(top,#f8f8f8,#f1f1f1);background-image:-o-linear-gradient(top,#f8f8f8,#f1f1f1);background-image:linear-gradient(top,#f8f8f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-
                                                                2023-01-05 08:22:12 UTC17INData Raw: 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b 6d 61 78 2d 68 65 69 67 68 74 3a 32 32 30 70 78 7d 23 67 62 6d 6d 7b 6d 61 78 2d 68 65 69 67 68 74 3a 35 33 30 70 78 7d 2e 67 62 73 62 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f
                                                                Data Ascii: nt}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{max-height:220px}#gbmm{max-height:530px}.gbsb{-webkit-box-sizing:border-bo
                                                                2023-01-05 08:22:12 UTC18INData Raw: 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f 28 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29
                                                                Data Ascii: top,from(rgba(0,0,0,.2)),to(rgba(0,0,0,0)));background-image:-webkit-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:-moz-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:-ms-linear-gradient(bottom,rgba(0,0,0,.2)
                                                                2023-01-05 08:22:12 UTC19INData Raw: 30 30 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 6d 61 72 67 69 6e 3a 30 3b 6f 75 74 6c 69 6e 65 3a 30 3b 66 6f 6e 74 3a 31 35 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 6c 73 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 4d 54 37 38 44 30 74 6b 5f 4e 62 77 35 58 53 72 75 5f 6c 45 66 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 6a 73 72 3a 31 2c 62 76 3a 31 37 30 32 2c 64 65 3a 74 72 75 65 7d 3b 0a 76 61 72
                                                                Data Ascii: 00;cursor:pointer;height:30px;margin:0;outline:0;font:15px arial,sans-serif;vertical-align:top}.lsb:active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="MT78D0tk_Nbw5XSru_lEfA">(function(){window.google.erd={jsr:1,bv:1702,de:true};var
                                                                2023-01-05 08:22:12 UTC20INData Raw: 63 66 0d 0a 28 22 2d 65 78 74 65 6e 73 69 6f 6e 3a 2f 22 29 26 26 28 65 3d 33 29 2c 63 2b 3d 22 26 73 63 72 69 70 74 3d 22 2b 62 28 67 29 2c 66 26 26 67 3d 3d 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 26 26 28 66 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 66 5d 2c 63 2b 3d 22 26 63 61 64 3d 22 2b 62 28 66 3f 66 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 63 2b 3d 22 26 6a 73 65 6c 3d 22 2b 65 3b 66 6f 72 28 76 61 72 20 75 20 69 6e 0d 0a
                                                                Data Ascii: cf("-extension:/")&&(e=3),c+="&script="+b(g),f&&g===window.location.href&&(f=document.documentElement.outerHTML.split("\n")[f],c+="&cad="+b(f?f.substring(0,300):"No script found.")));c+="&jsel="+e;for(var u in
                                                                2023-01-05 08:22:12 UTC21INData Raw: 37 32 37 38 0d 0a 20 64 29 63 2b 3d 22 26 22 2c 63 2b 3d 62 28 75 29 2c 63 2b 3d 22 3d 22 2c 63 2b 3d 62 28 64 5b 75 5d 29 3b 63 3d 63 2b 22 26 65 6d 73 67 3d 22 2b 62 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 63 3d 63 2b 22 26 6a 73 73 74 3d 22 2b 62 28 61 2e 73 74 61 63 6b 7c 7c 22 4e 2f 41 22 29 3b 31 32 32 38 38 3c 3d 63 2e 6c 65 6e 67 74 68 26 26 28 63 3d 63 2e 73 75 62 73 74 72 28 30 2c 31 32 32 38 38 29 29 3b 61 3d 63 3b 6d 7c 7c 67 6f 6f 67 6c 65 2e 6c 6f 67 28 30 2c 22 22 2c 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 6d 2c 65 29 7b 72 21 3d 3d 61 26 26 28 61 3d 65 20 69 6e 73 74 61 6e 63 65 6f 66 20 45 72 72 6f 72 3f 65 3a 45 72 72
                                                                Data Ascii: 7278 d)c+="&",c+=b(u),c+="=",c+=b(d[u]);c=c+"&emsg="+b(a.name+": "+a.message);c=c+"&jsst="+b(a.stack||"N/A");12288<=c.length&&(c=c.substr(0,12288));a=c;m||google.log(0,"",a);return a};window.onerror=function(a,b,d,m,e){r!==a&&(a=e instanceof Error?e:Err
                                                                2023-01-05 08:22:12 UTC22INData Raw: 64 20 30 3d 3d 6b 3f 6c 3a 76 6f 69 64 20 30 3d 3d 6c 3f 6b 3a 6c 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e 62 3d 5f 74 76 66 3b 68 2e 63 3d 5f 74 76 6e 3b 68 2e 69 3d 61 61 3b 76 61 72 20 72 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 75 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 6a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 6e 65 77 20 49 6d 61 67 65 2c 63 3d 68 61 3b 62 2e 6f 6e 65
                                                                Data Ascii: d 0==k?l:void 0==l?k:l&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.b=_tvf;h.c=_tvn;h.i=aa;var r=window.gbar.i.i;var t=function(){},u=function(){},ja=function(a){var b=new Image,c=ha;b.one
                                                                2023-01-05 08:22:12 UTC23INData Raw: 70 28 22 6d 64 69 22 2c 6b 61 29 3b 70 28 22 62 6e 63 22 2c 78 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 43 29 3b 70 28 22 71 64 22 2c 41 29 3b 70 28 22 6c 62 22 2c 73 61 29 3b 70 28 22 6d 63 66 22 2c 6f 61 29 3b 70 28 22 62 63 66 22 2c 6e 61 29 3b 70 28 22 61 71 22 2c 42 29 3b 70 28 22 6d 64 64 22 2c 22 22 29 3b 0a 70 28 22 68 61 73 22 2c 70 61 29 3b 70 28 22 74 72 68 22 2c 76 61 29 3b 70 28 22 74 65 76 22 2c 72 61 29 3b 69 66 28 68 2e 61 28 22 6d 3b 2f 5f 2f 73 63 73 2f 61 62 63 2d 73 74 61 74 69 63 2f 5f 2f 6a 73 2f 6b 3d 67 61 70 69 2e 67 61 70 69 2e 65 6e 2e 57 45 50 6e 63 64 69 6c 32 55 77 2e 4f 2f 64 3d 31 2f 72 73 3d 41 48 70 4f 6f 6f 2d 65 4f 65 63 4c 4c 74 4f 58 45 6c 33 49 33 6b 49 75 4d 73 4b 58 52 6b 44 4d 6d 41 2f 6d 3d
                                                                Data Ascii: p("mdi",ka);p("bnc",x);p("qGC",ta);p("qm",C);p("qd",A);p("lb",sa);p("mcf",oa);p("bcf",na);p("aq",B);p("mdd","");p("has",pa);p("trh",va);p("tev",ra);if(h.a("m;/_/scs/abc-static/_/js/k=gapi.gapi.en.WEPncdil2Uw.O/d=1/rs=AHpOoo-eOecLLtOXEl3I3kIuMsKXRkDMmA/m=
                                                                2023-01-05 08:22:12 UTC24INData Raw: 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 2c 22 26 6a 65 78 70 69 64 3d 22 2c 64 28 22 32 38 38 33 34 22 29 2c 22 26 73 72 63 70 67 3d 22 2c 64 28 22 70 72 6f 70 3d 31 22 29 2c 22 26 6a 73 72 3d 22 2c 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 46 61 29 2c 22 26 6f 67 65 76 3d 22 2c 64 28 22 74 49 69 32 59 34 69 54 41 73 79 45 31 73 67 50 2d 72 53 35 69 41 77 22 29 2c 22 26 6f 67 66 3d 22 2c 67 2e 62 76 2e 66 2c 22 26 6f 67 72 70 3d 22 2c 64 28 22 22 29 2c 22 26 6f 67 76 3d 22 2c 64 28 22 34 39 34 35 39 37 37 35 34 2e 30 22 29 2c 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f
                                                                Data Ascii: mponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Date).getTime(),"&jexpid=",d("28834"),"&srcpg=",d("prop=1"),"&jsr=",Math.round(1/Fa),"&ogev=",d("tIi2Y4iTAsyE1sgP-rS5iAw"),"&ogf=",g.bv.f,"&ogrp=",d(""),"&ogv=",d("494597754.0"),"&oggv="+d("es_plusone_
                                                                2023-01-05 08:22:12 UTC25INData Raw: 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 2f 6f 67 2f 5f 2f 6a 73 2f 64 3d 31 2f 6b 3d 22 2c 22 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 41 38 54 33 43 4f 51 34 52 73 59 2e 65 73 35 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 76 41 69 71 6f 6e 41 68 7a 58 61 63 66 47 55 57 36 4b 77 59 5f 42 47 46 73 62 67 41 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74 3d 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 26 62 75 73 74 3d 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 73 35 58 43 52 45 31 57 76 4f 30 2e 65 73 35 2e 44 55 22 29 3b 61 3d 61 2e 6a 6f 69 6e 28 22 22 29 3b 71 61 28 61 29 7d 3b 70 28 22 63 61 22 2c 49 29 3b 70 28 22 63 72 22 2c 4a 29 3b 70 28 22 63 63 22 2c 48
                                                                Data Ascii: https://www.gstatic.com","/og/_/js/d=1/k=","og.og2.en_US.A8T3COQ4RsY.es5.O","/rt=j/m=",a,"/rs=","AA2YrTvAiqonAhzXacfGUW6KwY_BGFsbgA"];Ka&&a.push("?host=www.gstatic.com&bust=og.og2.en_US.s5XCRE1WvO0.es5.DU");a=a.join("");qa(a)};p("ca",I);p("cr",J);p("cc",H
                                                                2023-01-05 08:22:12 UTC27INData Raw: 6f 64 65 3b 69 66 28 4e 3d 3d 64 29 4e 3d 76 6f 69 64 20 30 2c 0a 4a 28 6b 2c 22 67 62 74 6f 22 29 3b 65 6c 73 65 7b 69 66 28 4e 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4e 29 3b 69 66 28 6c 26 26 6c 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 6e 3d 6c 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6d 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6d 26 26 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4a 28 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 22 67 62 74 6f 22 29 7d 7d 7d 24 61 28 66 29 26 26 61 62 28 66 29 3b 4e 3d 64 3b 49 28 6b 2c 22 67 62 74 6f 22 29 7d 7d 7d 7d
                                                                Data Ascii: ode;if(N==d)N=void 0,J(k,"gbto");else{if(N){var l=document.getElementById(N);if(l&&l.getAttribute){var n=l.getAttribute("aria-owner");if(n.length){var m=document.getElementById(n);m&&m.parentNode&&J(m.parentNode,"gbto")}}}$a(f)&&ab(f);N=d;I(k,"gbto")}}}}
                                                                2023-01-05 08:22:12 UTC28INData Raw: 6e 26 26 64 2b 2b 7d 69 66 28 30 3c 3d 6d 29 7b 76 61 72 20 79 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 6c 69 22 29 2c 7a 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 79 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 63 22 3b 7a 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 20 67 62 6d 68 22 3b 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 7a 29 3b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 79 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 6d 5d 29 7d 67 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6c 29 7d 7d 63 61 74 63 68 28 42 62 29 7b 72 28 42 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c
                                                                Data Ascii: n&&d++}if(0<=m){var y=document.createElement("li"),z=document.createElement("div");y.className="gbmtc";z.className="gbmt gbmh";y.appendChild(z);k.insertBefore(y,k.childNodes[m])}g.addHover&&g.addHover(a)}else k.appendChild(l)}}catch(Bb){r(Bb,"sb","al")}},
                                                                2023-01-05 08:22:12 UTC29INData Raw: 61 72 20 64 3d 24 61 28 61 29 3b 69 66 28 64 29 7b 69 66 28 63 29 7b 64 2e 74 65 78 74 43 6f 6e 74 65 6e 74 3d 22 22 3b 62 3d 62 2e 73 70 6c 69 74 28 63 29 3b 66 6f 72 28 76 61 72 20 66 3d 30 3b 63 3d 62 5b 66 5d 3b 66 2b 2b 29 7b 76 61 72 20 6b 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 0a 6b 2e 69 6e 6e 65 72 48 54 4d 4c 3d 63 3b 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6b 29 7d 7d 65 6c 73 65 20 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 62 3b 50 28 61 2c 21 30 29 7d 7d 7d 2c 50 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 28 62 3d 76 6f 69 64 20 30 21 3d 3d 62 3f 62 3a 21 30 29 3f 49 28 61 2c 22 67 62 6d 73 67 6f 22 29 3a 4a 28 61 2c 22 67 62 6d 73 67 6f 22 29 7d 2c 24 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29
                                                                Data Ascii: ar d=$a(a);if(d){if(c){d.textContent="";b=b.split(c);for(var f=0;c=b[f];f++){var k=document.createElement("div");k.innerHTML=c;d.appendChild(k)}}else d.innerHTML=b;P(a,!0)}}},P=function(a,b){(b=void 0!==b?b:!0)?I(a,"gbmsgo"):J(a,"gbmsgo")},$a=function(a)
                                                                2023-01-05 08:22:12 UTC30INData Raw: 61 28 22 22 29 3b 78 2e 70 75 73 68 28 5b 22 67 63 22 2c 7b 61 75 74 6f 3a 41 62 2c 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 6c 69 62 73 3a 22 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6c 69 65 6e 74 3a 67 61 70 69 2e 69 66 72 61 6d 65 73 22 7d 5d 29 3b 76 61 72 20 43 62 3d 7b 76 65 72 73 69 6f 6e 3a 22 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 69 6e 64 65 78 3a 22 22 2c 6c 61 6e 67 3a 22 64 65 22 7d 3b 77 2e 67 63 3d 43 62 3b 76 61 72 20 44 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 77 69 6e 64 6f 77 2e
                                                                Data Ascii: a("");x.push(["gc",{auto:Ab,url:"//ssl.gstatic.com/gb/js/abc/gci_91f30755d6a6b787dcc2a4062e6e9824.js",libs:"googleapis.client:gapi.iframes"}]);var Cb={version:"gci_91f30755d6a6b787dcc2a4062e6e9824.js",index:"",lang:"de"};w.gc=Cb;var Db=function(a){window.
                                                                2023-01-05 08:22:12 UTC32INData Raw: 74 65 20 62 2e 6f 67 77 29 3b 66 3d 5b 5d 3b 66 6f 72 28 7a 20 69 6e 20 62 29 30 21 3d 66 2e 6c 65 6e 67 74 68 26 26 66 2e 70 75 73 68 28 22 2c 22 29 2c 66 2e 70 75 73 68 28 4c 62 28 7a 29 29 2c 66 2e 70 75 73 68 28 22 2e 22 29 2c 66 2e 70 75 73 68 28 4c 62 28 62 5b 7a 5d 29 29 3b 76 61 72 20 7a 3d 66 2e 6a 6f 69 6e 28 22 22 29 3b 22 22 21 3d 7a 26 26 28 61 2e 70 75 73 68 28 22 26 6f 67 61 64 3d 22 29 2c 61 2e 70 75 73 68 28 64 28 7a 29 29 29 7d 6a 61 28 61 2e 6a 6f 69 6e 28 22 22 29 29 7d 7d 0a 66 75 6e 63 74 69 6f 6e 20 4c 62 28 61 29 7b 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 61 26 26 28 61 2b 3d 22 22 29 3b 72 65 74 75 72 6e 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 20 61 3f 61 2e 72 65 70 6c 61 63 65 28 22 2e 22 2c 22 25 32 45 22 29
                                                                Data Ascii: te b.ogw);f=[];for(z in b)0!=f.length&&f.push(","),f.push(Lb(z)),f.push("."),f.push(Lb(b[z]));var z=f.join("");""!=z&&(a.push("&ogad="),a.push(d(z)))}ja(a.join(""))}}function Lb(a){"number"==typeof a&&(a+="");return"string"==typeof a?a.replace(".","%2E")
                                                                2023-01-05 08:22:12 UTC33INData Raw: 29 72 65 74 75 72 6e 20 61 2e 69 6e 64 65 78 4f 66 28 62 2c 63 29 3b 69 66 28 41 72 72 61 79 2e 69 6e 64 65 78 4f 66 29 72 65 74 75 72 6e 20 41 72 72 61 79 2e 69 6e 64 65 78 4f 66 28 61 2c 62 2c 63 29 3b 66 6f 72 28 63 3d 6e 75 6c 6c 3d 3d 63 3f 30 3a 30 3e 63 3f 4d 61 74 68 2e 6d 61 78 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 63 29 3a 63 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 63 20 69 6e 20 61 26 26 61 5b 63 5d 3d 3d 3d 62 29 72 65 74 75 72 6e 20 63 3b 72 65 74 75 72 6e 2d 31 7d 2c 59 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 2d 31 3d 3d 59 62 28 61 2c 58 29 3f 28 72 28 45 72 72 6f 72 28 58 2b 22 5f 22 2b 62 29 2c 22 75 70 22 2c 22 63 61 61 22 29 2c 21 31 29 3a 21 30 7d 2c 24 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29
                                                                Data Ascii: )return a.indexOf(b,c);if(Array.indexOf)return Array.indexOf(a,b,c);for(c=null==c?0:0>c?Math.max(0,a.length+c):c;c<a.length;c++)if(c in a&&a[c]===b)return c;return-1},Y=function(a,b){return-1==Yb(a,X)?(r(Error(X+"_"+b),"up","caa"),!1):!0},$b=function(a,b)
                                                                2023-01-05 08:22:12 UTC34INData Raw: 63 61 74 63 68 28 66 29 7b 66 2e 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55 4f 54 41 5f 45 58 43 45 45 44 45 44 5f 45 52 52 26 26 72 28 66 2c 22 75 70 22 2c 22 73 70 64 22 29 7d 7d 2c 68 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 74 72 79 7b 69 66 28 64 63 28 64 6f 63 75 6d 65 6e 74 29 29 72 65 74 75 72 6e 22 22 3b 0a 63 7c 7c 28 62 3d 22 6f 67 2d 75 70 2d 22 2b 62 29 3b 69 66 28 65 63 28 29 29 72 65 74 75 72 6e 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 62 29 3b 69 66 28 66 63 28 61 29 29 72 65 74 75 72 6e 20 61 2e 6c 6f 61 64 28 61 2e 69 64 29 2c 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 62 29 7d 63 61 74 63 68 28 64 29 7b 64 2e 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55
                                                                Data Ascii: catch(f){f.code!=DOMException.QUOTA_EXCEEDED_ERR&&r(f,"up","spd")}},hc=function(a,b,c){try{if(dc(document))return"";c||(b="og-up-"+b);if(ec())return e.localStorage.getItem(b);if(fc(a))return a.load(a.id),a.getAttribute(b)}catch(d){d.code!=DOMException.QU
                                                                2023-01-05 08:22:12 UTC35INData Raw: 68 2e 61 28 22 31 22 29 2c 64 3d 68 2e 61 28 22 22 29 2c 66 3d 33 2c 6b 3d 78 2c 6c 3d 30 2c 6e 3d 77 69 6e 64 6f 77 2e 67 62 61 72 4f 6e 52 65 61 64 79 3b 69 66 28 6e 29 74 72 79 7b 6e 28 29 7d 63 61 74 63 68 28 6d 29 7b 72 28 6d 2c 22 6d 6c 22 2c 22 6f 72 22 29 7d 64 3f 70 28 22 6c 64 62 22 2c 61 29 3a 63 3f 63 61 28 77 69 6e 64 6f 77 2c 22 6c 6f 61 64 22 2c 62 29 3a 62 28 29 7d 70 28 22 72 64 6c 22 2c 6c 63 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69
                                                                Data Ascii: h.a("1"),d=h.a(""),f=3,k=x,l=0,n=window.gbarOnReady;if(n)try{n()}catch(m){r(m,"ml","or")}d?p("ldb",a):c?ca(window,"load",b):b()}p("rdl",lc);}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{var b=window.gbar.i
                                                                2023-01-05 08:22:12 UTC36INData Raw: 2e 6b 45 58 50 49 26 26 28 61 2e 68 72 65 66 2b 3d 22 26 65 69 3d 22 2b 62 2e 6b 45 49 29 7d 2c 70 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 6d 28 61 29 3b 0a 6e 28 61 29 7d 2c 71 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 26 26 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 73 6e 29 7b 76 61 72 20 61 3d 2f 2e 2a 68 70 24 2f 3b 72 65 74 75 72 6e 20 61 2e 74 65 73 74 28 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 73 6e 29 3f 22 22 3a 22 31 22 7d 72 65 74 75 72 6e 22 2d 31 22 7d 3b 65 2e 72 70 3d 71 3b 65 2e 73 6c 70 3d 6b 3b 65 2e 71 73 3d 70 3b 65 2e 71 73 69 3d 6e 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c
                                                                Data Ascii: .kEXPI&&(a.href+="&ei="+b.kEI)},p=function(a){m(a);n(a)},q=function(){if(window.google&&window.google.sn){var a=/.*hp$/;return a.test(window.google.sn)?"":"1"}return"-1"};e.rp=q;e.slp=k;e.qs=p;e.qsi=n;}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,
                                                                2023-01-05 08:22:12 UTC38INData Raw: 69 65 73 67 3d 66 61 6c 73 65 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6e 20 26 26 20 77 69 6e 64 6f 77 2e 6e 28 29 3b 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 69 6d 61 67 65 73 29 7b 6e 65 77 20 49 6d 61 67 65 28 29 2e 73 72 63 3d 73 72 63 3b 7d 0a 69 66 20 28 21 69 65 73 67 29 7b 64 6f 63 75 6d 65 6e 74 2e 66 26 26 64 6f 63 75 6d 65 6e 74 2e 66 2e 71 2e 66 6f 63 75 73 28 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 62 71 66 26 26 64 6f 63 75 6d 65 6e 74 2e 67 62 71 66 2e 71 2e 66 6f 63 75 73 28 29 3b 7d 0a 7d 0a 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 69 64 3d 22 6d 6e 67 62 22 3e 3c 64 69 76 20 69 64 3d 67 62 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 4d 54
                                                                Data Ascii: iesg=false;document.body.onload = function(){window.n && window.n();if (document.images){new Image().src=src;}if (!iesg){document.f&&document.f.q.focus();document.gbqf&&document.gbqf.q.focus();}}})();</script><div id="mngb"><div id=gb><script nonce='MT
                                                                2023-01-05 08:22:12 UTC39INData Raw: 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 33 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 61 69 6c 2f 3f 74 61 62 3d 77 6d 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 47 6d 61 69 6c 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 34 39 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 72 69 76 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 74 61 62 3d 77 6f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61
                                                                Data Ascii: n></a></li><li class=gbt><a class=gbzt id=gb_23 href="https://mail.google.com/mail/?tab=wm"><span class=gbtb2></span><span class=gbts>Gmail</span></a></li><li class=gbt><a class=gbzt id=gb_49 href="https://drive.google.com/?tab=wo"><span class=gbtb2></spa
                                                                2023-01-05 08:22:12 UTC40INData Raw: 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 33 30 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6c 6f 67 67 65 72 2e 63 6f 6d 2f 3f 74 61 62 3d 77 6a 22 3e 42 6c 6f 67 67 65 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 37 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 66 69 6e 61 6e 63 65 3f 74 61 62 3d 77 65 22 3e 46 69 6e 61 6e 7a 65 6e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 33 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 68 6f 74 6f 73 2e 67 6f 6f 67 6c 65 2e 63
                                                                Data Ascii: s=gbmtc><a class=gbmt id=gb_30 href="https://www.blogger.com/?tab=wj">Blogger</a></li><li class=gbmtc><a class=gbmt id=gb_27 href="https://www.google.com/finance?tab=we">Finanzen</a></li><li class=gbmtc><a class=gbmt id=gb_31 href="https://photos.google.c
                                                                2023-01-05 08:22:12 UTC41INData Raw: 67 62 69 34 73 31 3e 41 6e 6d 65 6c 64 65 6e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 74 20 67 62 74 62 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 3c 2f 73 70 61 6e 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 67 74 20 69 64 3d 67 62 67 35 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 68 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 64 65 22 20 74 69 74 6c 65 3d 22 4f 70 74 69 6f 6e 65 6e 22 20 61 72 69 61 2d 68 61 73 70 6f 70 75 70 3d 74 72 75 65 20 61 72 69 61 2d 6f 77 6e 73 3d 67 62 64 35 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d
                                                                Data Ascii: gbi4s1>Anmelden</span></span></a></li><li class="gbt gbtb"><span class=gbts></span></li><li class=gbt><a class=gbgt id=gbg5 href="http://www.google.ch/preferences?hl=de" title="Optionen" aria-haspopup=true aria-owns=gbd5><span class=gbtb2></span><span id=
                                                                2023-01-05 08:22:12 UTC43INData Raw: 30 22 3e 3c 74 72 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 3e 3c 74 64 20 77 69 64 74 68 3d 22 32 35 25 22 3e 26 6e 62 73 70 3b 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 6e 6f 77 72 61 70 3d 22 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 69 65 22 20 76 61 6c 75 65 3d 22 49 53 4f 2d 38 38 35 39 2d 31 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 64 65 2d 43 48 22 20 6e 61 6d 65 3d 22 68 6c 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 73 6f 75 72 63 65 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 76 61 6c 75 65 3d 22 68 70 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 62 69 77 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74
                                                                Data Ascii: 0"><tr valign="top"><td width="25%">&nbsp;</td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="de-CH" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input
                                                                2023-01-05 08:22:12 UTC44INData Raw: 53 75 63 68 65 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 69 6e 70 75 74 20 69 64 3d 22 67 62 76 22 20 6e 61 6d 65 3d 22 67 62 76 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 76 61 6c 75 65 3d 22 31 22 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 4d 54 37 38 44 30 74 6b 5f 4e 62 77 35 58 53 72 75 5f 6c 45 66 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 2c 62 3d 22 31 22 3b 69 66 28 64 6f 63 75 6d 65 6e 74 26 26 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 29 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 29 62 3d 22 32 22 3b 65 6c 73 65 20 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 41 63 74 69 76
                                                                Data Ascii: Suche</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"><script nonce="MT78D0tk_Nbw5XSru_lEfA">(function(){var a,b="1";if(document&&document.getElementById)if("undefined"!=typeof XMLHttpRequest)b="2";else if("undefined"!=typeof Activ
                                                                2023-01-05 08:22:12 UTC45INData Raw: 55 4b 48 63 44 69 43 57 38 51 32 5a 67 42 43 41 55 22 3e 45 6e 67 6c 69 73 68 3c 2f 61 3e 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 73 3f 73 69 67 3d 30 5f 5f 4f 41 42 39 48 79 76 64 70 71 50 68 61 4f 32 33 57 41 44 56 6b 55 45 53 41 63 25 33 44 26 61 6d 70 3b 68 6c 3d 66 72 26 61 6d 70 3b 73 6f 75 72 63 65 3d 68 6f 6d 65 70 61 67 65 26 61 6d 70 3b 73 61 3d 58 26 61 6d 70 3b 76 65 64 3d 30 61 68 55 4b 45 77 69 48 75 72 50 37 5f 36 5f 38 41 68 55 43 55 7a 55 4b 48 63 44 69 43 57 38 51 32 5a 67 42 43 41 59 22 3e 46 72 61 6e e7 61 69 73 3c 2f 61 3e 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65
                                                                Data Ascii: UKHcDiCW8Q2ZgBCAU">English</a> <a href="https://www.google.com/setprefs?sig=0__OAB9HyvdpqPhaO23WADVkUESAc%3D&amp;hl=fr&amp;source=homepage&amp;sa=X&amp;ved=0ahUKEwiHurP7_6_8AhUCUzUKHcDiCW8Q2ZgBCAY">Franais</a> <a href="https://www.google.com/setpre
                                                                2023-01-05 08:22:12 UTC46INData Raw: 58 53 72 75 5f 6c 45 66 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 63 64 6f 3d 7b 68 65 69 67 68 74 3a 37 35 37 2c 77 69 64 74 68 3a 31 34 34 30 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 57 69 64 74 68 2c 62 3d 77 69 6e 64 6f 77 2e 69 6e 6e 65 72 48 65 69 67 68 74 3b 69 66 28 21 61 7c 7c 21 62 29 7b 76 61 72 20 63 3d 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2c 64 3d 22 43 53 53 31 43 6f 6d 70 61 74 22 3d 3d 63 2e 63 6f 6d 70 61 74 4d 6f 64 65 3f 63 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 3a 63 2e 62 6f 64 79 3b 61 3d 64 2e 63 6c 69 65 6e 74 57 69 64 74 68 3b 62 3d 64 2e 63 6c 69 65 6e 74 48 65 69 67 68 74 7d 61 26 26 62 26 26 28 61 21 3d 67 6f 6f
                                                                Data Ascii: XSru_lEfA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d="CSS1Compat"==c.compatMode?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}a&&b&&(a!=goo
                                                                2023-01-05 08:22:12 UTC47INData Raw: 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 67 6f 6f 67 23 68 74 6d 6c 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 65 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 65 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 65 7d 29 7d 63 61 74 63 68 28 71 29 7b 64 2e 63 6f 6e 73 6f 6c 65 26 26 64 2e 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 71 2e 6d 65 73 73 61 67 65 29 7d 67 3d 62 7d 65 6c 73 65 20 67 3d 62 7d 61 3d 28 62 3d 67 29 3f 62 2e 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 28 61 29 3a 61 3b 61 3d 6e 65 77 20 6c 28 61 2c 68 29 3b 63 2e 73 72 63 3d 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 6c 26 26 61 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 3d 6c 3f 61 2e 67 3a 22 74 79 70 65 5f 65 72 72 6f 72 3a 54 72 75 73 74
                                                                Data Ascii: Policy){try{b=k.createPolicy("goog#html",{createHTML:e,createScript:e,createScriptURL:e})}catch(q){d.console&&d.console.error(q.message)}g=b}else g=b}a=(b=g)?b.createScriptURL(a):a;a=new l(a,h);c.src=a instanceof l&&a.constructor===l?a.g:"type_error:Trust
                                                                2023-01-05 08:22:12 UTC49INData Raw: 5c 78 32 32 3a 5c 78 32 32 57 65 69 74 65 72 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a 5c 78 32 32 44 69 65 73 65 20 53 75 63 68 61 6e 66 72 61 67 65 20 77 75 72 64 65 20 61 75 73 20 64 65 69 6e 65 6d 20 5c 5c 75 30 30 33 43 61 20 68 72 65 66 5c 78 33 64 5c 5c 5c 78 32 32 2f 68 69 73 74 6f 72 79 5c 5c 5c 78 32 32 5c 5c 75 30 30 33 45 57 65 62 70 72 6f 74 6f 6b 6f 6c 6c 5c 5c 75 30 30 33 43 2f 61 5c 5c 75 30 30 33 45 20 65 6e 74 66 65 72 6e 74 2e 5c 78 32 32 2c 5c 78 32 32 70 73 72 6c 5c 78 32 32 3a 5c 78 32 32 45 6e 74 66 65 72 6e 65 6e 5c 78 32 32 2c 5c 78 32 32 73 62 69 74 5c 78 32 32 3a 5c 78 32 32 42 69 6c 64 65 72 73 75 63 68 65 5c 78 32 32 2c 5c 78 32 32 73 72 63 68 5c 78 32 32 3a 5c 78 32 32
                                                                Data Ascii: \x22:\x22Weitere Informationen\x22,\x22psrc\x22:\x22Diese Suchanfrage wurde aus deinem \\u003Ca href\x3d\\\x22/history\\\x22\\u003EWebprotokoll\\u003C/a\\u003E entfernt.\x22,\x22psrl\x22:\x22Entfernen\x22,\x22sbit\x22:\x22Bildersuche\x22,\x22srch\x22:\x22
                                                                2023-01-05 08:22:12 UTC49INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:09:22:10
                                                                Start date:05/01/2023
                                                                Path:C:\Users\user\Desktop\Dhl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\Dhl.exe
                                                                Imagebase:0xba0000
                                                                File size:842752 bytes
                                                                MD5 hash:6A2BCEFB53B034548874A53D22982949
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.422138372.000000000439E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.419766240.0000000003573000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.417679179.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.422650649.0000000004486000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                General

                                                                Target ID:1
                                                                Start time:09:23:06
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe
                                                                Imagebase:0x11d0000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:4
                                                                Start time:09:23:07
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7fcd70000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:5
                                                                Start time:09:23:07
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\SysWOW64\PING.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:ping 127.0.0.1 -n 43
                                                                Imagebase:0x3e0000
                                                                File size:18944 bytes
                                                                MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:6
                                                                Start time:09:23:50
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\SysWOW64\PING.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:ping 127.0.0.1 -n 43
                                                                Imagebase:0x3e0000
                                                                File size:18944 bytes
                                                                MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:12.5%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:148
                                                                  Total number of Limit Nodes:9
                                                                  execution_graph 25491 170d030 25492 170d048 25491->25492 25493 170d0a2 25492->25493 25499 3119891 25492->25499 25509 311795c 25492->25509 25518 31198e8 25492->25518 25527 3118c00 25492->25527 25531 3118c10 25492->25531 25500 311989a 25499->25500 25501 31198ef 25499->25501 25500->25493 25502 3119959 25501->25502 25504 3119949 25501->25504 25551 3117a84 25502->25551 25535 3119a70 25504->25535 25540 3119a80 25504->25540 25545 3119b4c 25504->25545 25505 3119957 25510 3117967 25509->25510 25511 3119959 25510->25511 25513 3119949 25510->25513 25512 3117a84 CallWindowProcW 25511->25512 25514 3119957 25512->25514 25515 3119a70 CallWindowProcW 25513->25515 25516 3119a80 CallWindowProcW 25513->25516 25517 3119b4c CallWindowProcW 25513->25517 25515->25514 25516->25514 25517->25514 25519 31198f8 25518->25519 25520 3119959 25519->25520 25523 3119949 25519->25523 25521 3117a84 CallWindowProcW 25520->25521 25522 3119957 25521->25522 25524 3119a70 CallWindowProcW 25523->25524 25525 3119a80 CallWindowProcW 25523->25525 25526 3119b4c CallWindowProcW 25523->25526 25524->25522 25525->25522 25526->25522 25528 3118c10 25527->25528 25529 311795c CallWindowProcW 25528->25529 25530 3118c57 25529->25530 25530->25493 25532 3118c36 25531->25532 25533 311795c CallWindowProcW 25532->25533 25534 3118c57 25533->25534 25534->25493 25537 3119a80 25535->25537 25536 3119b20 25536->25505 25555 3119b38 25537->25555 25558 3119b28 25537->25558 25542 3119a94 25540->25542 25541 3119b20 25541->25505 25543 3119b38 CallWindowProcW 25542->25543 25544 3119b28 CallWindowProcW 25542->25544 25543->25541 25544->25541 25546 3119b0a 25545->25546 25547 3119b5a 25545->25547 25549 3119b38 CallWindowProcW 25546->25549 25550 3119b28 CallWindowProcW 25546->25550 25548 3119b20 25548->25505 25549->25548 25550->25548 25552 3117a8f 25551->25552 25553 311b09a CallWindowProcW 25552->25553 25554 311b049 25552->25554 25553->25554 25554->25505 25556 3119b49 25555->25556 25562 311afd1 25555->25562 25556->25536 25559 3119b38 25558->25559 25560 3119b49 25559->25560 25561 311afd1 CallWindowProcW 25559->25561 25560->25536 25561->25560 25563 3117a84 CallWindowProcW 25562->25563 25564 311afea 25563->25564 25564->25556 25565 3114550 25566 31145b6 25565->25566 25567 3114665 25566->25567 25570 3114710 25566->25570 25573 3114700 25566->25573 25577 3112fc4 25570->25577 25574 3114710 25573->25574 25575 3112fc4 DuplicateHandle 25574->25575 25576 311473e 25575->25576 25576->25567 25578 3114778 DuplicateHandle 25577->25578 25579 311473e 25578->25579 25579->25567 25580 311db20 25581 311db6a 25580->25581 25583 3112141 25580->25583 25587 3112167 25583->25587 25591 3112178 25583->25591 25584 3112156 25584->25581 25588 3112178 25587->25588 25594 3112270 25588->25594 25589 3112187 25589->25584 25593 3112270 2 API calls 25591->25593 25592 3112187 25592->25584 25593->25592 25595 3112283 25594->25595 25597 311229b 25595->25597 25602 31124e9 25595->25602 25606 31124f8 25595->25606 25596 3112293 25596->25597 25598 3112498 GetModuleHandleW 25596->25598 25597->25589 25599 31124c5 25598->25599 25599->25589 25603 31124f2 25602->25603 25604 3112531 25603->25604 25610 3111638 25603->25610 25604->25596 25607 31124fc 25606->25607 25608 3112531 25607->25608 25609 3111638 LoadLibraryExW 25607->25609 25608->25596 25609->25608 25611 31126b8 LoadLibraryExW 25610->25611 25613 3112731 25611->25613 25613->25604 25614 3115128 25616 3115150 25614->25616 25615 3115178 25616->25615 25618 3114b64 25616->25618 25619 3114b6f 25618->25619 25623 3116b30 25619->25623 25632 3116b48 25619->25632 25620 3115220 25620->25615 25625 3116c6b 25623->25625 25626 3116b79 25623->25626 25624 3116b85 25624->25620 25625->25620 25626->25624 25641 3116e90 25626->25641 25644 3116e80 25626->25644 25627 3116bc6 25627->25625 25648 3117c40 25627->25648 25654 3117c60 25627->25654 25634 3116b79 25632->25634 25635 3116c6b 25632->25635 25633 3116b85 25633->25620 25634->25633 25639 3116e90 2 API calls 25634->25639 25640 3116e80 2 API calls 25634->25640 25635->25620 25636 3116bc6 25636->25635 25637 3117c40 CreateWindowExW 25636->25637 25638 3117c60 CreateWindowExW 25636->25638 25637->25635 25638->25635 25639->25636 25640->25636 25642 3112270 2 API calls 25641->25642 25643 3116e99 25642->25643 25643->25627 25645 3116e90 25644->25645 25646 3112270 2 API calls 25645->25646 25647 3116e99 25646->25647 25647->25627 25649 3117c45 25648->25649 25650 3117d31 25649->25650 25660 31189a1 25649->25660 25665 3118a08 25649->25665 25668 31189e0 25649->25668 25655 3117c8a 25654->25655 25656 3117d31 25655->25656 25657 31189a1 CreateWindowExW 25655->25657 25658 31189e0 CreateWindowExW 25655->25658 25659 3118a08 CreateWindowExW 25655->25659 25657->25656 25658->25656 25659->25656 25661 31189f7 25660->25661 25662 31189aa 25660->25662 25672 3117934 25661->25672 25662->25650 25666 3117934 CreateWindowExW 25665->25666 25667 3118a3d 25666->25667 25667->25650 25669 31189f7 25668->25669 25670 3117934 CreateWindowExW 25669->25670 25671 3118a3d 25670->25671 25671->25650 25673 3118a58 CreateWindowExW 25672->25673 25675 3118b7c 25673->25675

                                                                  Executed Functions

                                                                  Function 0175E860 Relevance: 1.5, Instructions: 1454COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b662175a8b21808978449d2ef0d0a419bb70dd422d1e6ee81a0717e0738b0777
                                                                  • Instruction ID: 4a757a7b02524419b540533de0facc4079e83abc9225bf5add7872bac0d93b36
                                                                  • Opcode Fuzzy Hash: b662175a8b21808978449d2ef0d0a419bb70dd422d1e6ee81a0717e0738b0777
                                                                  • Instruction Fuzzy Hash: 6AB20F30B002158FDB64AB78D8547BEFBA3EF89244F148469D906DB385DFB49C46CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01756E18 Relevance: 1.0, Instructions: 965COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75d557133ff3bdf8ca5c9a0c103dc26fa04932b3adfed7fb0c0a174958dd5aaf
                                                                  • Instruction ID: 07c7fcf4a4e0f389220c8cc3b14df2b379d78aacb291e62324031e2f0ad9155e
                                                                  • Opcode Fuzzy Hash: 75d557133ff3bdf8ca5c9a0c103dc26fa04932b3adfed7fb0c0a174958dd5aaf
                                                                  • Instruction Fuzzy Hash: 61827C70A002199FDB58CF69C884AAEBBF6FF89344F548069E905EB351DB74EC45CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01757A40 Relevance: 1.0, Instructions: 950COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 800e94221150bbd962dd1c6937c00cc883c2763748764990f95d5d0df2376aaa
                                                                  • Instruction ID: e841fcc390c38d501711ae6f6136960a8d7ec0ec049b4f06caa3cebf159a375c
                                                                  • Opcode Fuzzy Hash: 800e94221150bbd962dd1c6937c00cc883c2763748764990f95d5d0df2376aaa
                                                                  • Instruction Fuzzy Hash: 5B825930A00209DFCB55CF69C584AAEFBF2EF48314F158959E9199B3A2D770ED41CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01754029 Relevance: 6.5, Strings: 5, Instructions: 202COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 1754029-175402a 1 1754031-1754032 0->1 2 175402c-1754030 0->2 3 1754034-1754038 1->3 4 1754039-175404e 1->4 2->1 3->4 5 1754053-1754056 4->5 6 175405f 5->6 7 1754058 5->7 82 175405f call 1754590 6->82 83 175405f call 175465b 6->83 7->6 8 17541b5-17541ba 7->8 9 1754176-17541b1 7->9 10 17540d6-1754117 7->10 11 1754252-17542b2 7->11 12 175411c-175412e 7->12 13 175416c-1754171 7->13 14 17541bf-17541d2 7->14 15 17541de-175424d 7->15 16 1754099-17540b9 7->16 17 17540bb-17540cd 7->17 18 175413a-1754167 7->18 8->5 9->8 10->5 61 17542b4-17542b9 11->61 62 17542c1-17542d6 11->62 12->5 13->5 14->5 15->5 16->5 17->5 18->5 20 1754065-1754097 20->5 61->62 65 17542f0-17542f6 62->65 66 17542d8-17542e0 62->66 68 1754305-1754320 65->68 69 17542f8-17542fd 65->69 66->65 73 1754322 call 1755555 68->73 74 1754322 call 1755464 68->74 75 1754322 call 17555a7 68->75 76 1754322 call 1755771 68->76 77 1754322 call 17555e1 68->77 78 1754322 call 1755630 68->78 79 1754322 call 1755343 68->79 80 1754322 call 17553dc 68->80 81 1754322 call 1755348 68->81 69->68 72 1754328-175432f 73->72 74->72 75->72 76->72 77->72 78->72 79->72 80->72 81->72 82->20 83->20
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @ [k$@ [k$@ [k$@ [k$@ [k
                                                                  • API String ID: 0-2030157674
                                                                  • Opcode ID: 59dc030c20cb0a593919003d5540c52906a1b2763a28855a5851f8adf3ddabb4
                                                                  • Instruction ID: 23b423ffc1843cce3e22f97679da45d06e92140784c4dc23aa6801bf7e574159
                                                                  • Opcode Fuzzy Hash: 59dc030c20cb0a593919003d5540c52906a1b2763a28855a5851f8adf3ddabb4
                                                                  • Instruction Fuzzy Hash: E6612E30A082558BDF589B68D0503BEF6B2EF41250F1581A9CD1B5B395FBB5CCC5C792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03112270 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 84 3112270-3112285 call 31115d0 87 3112287 84->87 88 311229b-311229f 84->88 138 311228d call 31124e9 87->138 139 311228d call 31124f8 87->139 89 31122a1-31122ab 88->89 90 31122b3-31122f4 88->90 89->90 95 3112301-311230f 90->95 96 31122f6-31122fe 90->96 91 3112293-3112295 91->88 92 31123d0-3112490 91->92 133 3112492-3112495 92->133 134 3112498-31124c3 GetModuleHandleW 92->134 98 3112311-3112316 95->98 99 3112333-3112335 95->99 96->95 100 3112321 98->100 101 3112318-311231f call 31115dc 98->101 102 3112338-311233f 99->102 104 3112323-3112331 100->104 101->104 105 3112341-3112349 102->105 106 311234c-3112353 102->106 104->102 105->106 109 3112360-3112369 call 31115ec 106->109 110 3112355-311235d 106->110 115 3112376-311237b 109->115 116 311236b-3112373 109->116 110->109 117 3112399-31123a6 115->117 118 311237d-3112384 115->118 116->115 125 31123c9-31123cf 117->125 126 31123a8-31123c6 117->126 118->117 119 3112386-3112396 call 31115fc call 311160c 118->119 119->117 126->125 133->134 135 31124c5-31124cb 134->135 136 31124cc-31124e0 134->136 135->136 138->91 139->91
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 031124B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: e040305cbb54512e19376b927c477542cf53217e0a770e0fdc938f73209f59f0
                                                                  • Instruction ID: 9ad4bb1be35039cd7d15bd45963ac2b592948388615c5f0abf3df3bc585b8dde
                                                                  • Opcode Fuzzy Hash: e040305cbb54512e19376b927c477542cf53217e0a770e0fdc938f73209f59f0
                                                                  • Instruction Fuzzy Hash: B6712170A10B058FDB24DF2AD54079AB7F1BF88204F04892ED48ADBB50DB74E85ACF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03117918 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 140 3117918-3118abe 144 3118ac0-3118ac6 140->144 145 3118ac9-3118ad0 140->145 144->145 146 3118ad2-3118ad8 145->146 147 3118adb-3118b13 145->147 146->147 148 3118b1b-3118b7a CreateWindowExW 147->148 149 3118b83-3118bbb 148->149 150 3118b7c-3118b82 148->150 154 3118bc8 149->154 155 3118bbd-3118bc0 149->155 150->149 156 3118bc9 154->156 155->154 156->156
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03118B6A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: f832048bea869eed82f314835c745d04d2d742ded58f9d3db4292df42d33851b
                                                                  • Instruction ID: b5c202a1c9aff1743cb17e9348477f595c14f4012b11dd4ac84f7a242ca20e62
                                                                  • Opcode Fuzzy Hash: f832048bea869eed82f314835c745d04d2d742ded58f9d3db4292df42d33851b
                                                                  • Instruction Fuzzy Hash: A15101B1D00348DFDB15CFA9C880ADEBFB1BF48314F28856AE819AB211D7749885CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03118A4D Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 172 3118a4d-3118abe 173 3118ac0-3118ac6 172->173 174 3118ac9-3118ad0 172->174 173->174 175 3118ad2-3118ad8 174->175 176 3118adb-3118b13 174->176 175->176 177 3118b1b-3118b7a CreateWindowExW 176->177 178 3118b83-3118bbb 177->178 179 3118b7c-3118b82 177->179 183 3118bc8 178->183 184 3118bbd-3118bc0 178->184 179->178 185 3118bc9 183->185 184->183 185->185
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03118B6A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: e42d00c031341052927df32c0a16fbb347ef013f6bcc992b6df56fc8b8e63bd4
                                                                  • Instruction ID: 7d15b99200576b6cf53fbc364f6e7a60ec1ca8c1dc62db8bff87a641607bf9e0
                                                                  • Opcode Fuzzy Hash: e42d00c031341052927df32c0a16fbb347ef013f6bcc992b6df56fc8b8e63bd4
                                                                  • Instruction Fuzzy Hash: 6F51B2B1D10219DFDB14CFAAD984ADEBBB1BF48314F24822AE815AB210D7759985CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03117934 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 157 3117934-3118abe 159 3118ac0-3118ac6 157->159 160 3118ac9-3118ad0 157->160 159->160 161 3118ad2-3118ad8 160->161 162 3118adb-3118b7a CreateWindowExW 160->162 161->162 164 3118b83-3118bbb 162->164 165 3118b7c-3118b82 162->165 169 3118bc8 164->169 170 3118bbd-3118bc0 164->170 165->164 171 3118bc9 169->171 170->169 171->171
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03118B6A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 2a48dd451a1f1db3ee5e9c4b569a8a016281b56296eb3ede1fd289d488eb6a85
                                                                  • Instruction ID: 949af6396a888bc36e63c3f83500cb72d985a6c80644ab379e92a572244dca1b
                                                                  • Opcode Fuzzy Hash: 2a48dd451a1f1db3ee5e9c4b569a8a016281b56296eb3ede1fd289d488eb6a85
                                                                  • Instruction Fuzzy Hash: 0751BEB1D10309DFDB14CFAAD984ADEBBB5FF48314F24812AE819AB210D7759895CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03117A84 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 186 3117a84-311b03c 189 311b042-311b047 186->189 190 311b0ec-311b10c call 311795c 186->190 192 311b049-311b080 189->192 193 311b09a-311b0d2 CallWindowProcW 189->193 197 311b10f-311b11c 190->197 200 311b082-311b088 192->200 201 311b089-311b098 192->201 195 311b0d4-311b0da 193->195 196 311b0db-311b0ea 193->196 195->196 196->197 200->201 201->197
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 0311B0C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: f271dd4391ae60d6f2685d3da1471750dac229bbd62febcc4eab923624f10fe0
                                                                  • Instruction ID: 74dc7594f59042f170ca9c99c014bffa63383d680f340a4af7dfd5af3a7baedd
                                                                  • Opcode Fuzzy Hash: f271dd4391ae60d6f2685d3da1471750dac229bbd62febcc4eab923624f10fe0
                                                                  • Instruction Fuzzy Hash: 924128B4A043098FCB14CF99C488AAABBF5FB8C314F15C459E419A7321D775A845CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03112FC4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 203 3112fc4-311480c DuplicateHandle 205 3114815-3114832 203->205 206 311480e-3114814 203->206 206->205
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0311473E,?,?,?,?,?), ref: 031147FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 27523c5cb183180eb6d7b6ed27c41a31c8bed815c33eced1f927fde3a33830c9
                                                                  • Instruction ID: 6d9bef3c3549d1563f04922d99e53bd4f79a81780b8f5b65aa428899762452a1
                                                                  • Opcode Fuzzy Hash: 27523c5cb183180eb6d7b6ed27c41a31c8bed815c33eced1f927fde3a33830c9
                                                                  • Instruction Fuzzy Hash: CE2105B59002089FDB10CFAAD584AEEBBF4EB48324F14802AE954B3710D375A954CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03114770 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 209 3114770-3114772 210 3114778-311480c DuplicateHandle 209->210 211 3114815-3114832 210->211 212 311480e-3114814 210->212 212->211
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0311473E,?,?,?,?,?), ref: 031147FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: b14a4d1664afdf58b68ebf0d63cc5444e94e0968182b6f4151c4dd0a737ac5ff
                                                                  • Instruction ID: e6aeef2cf70a7f07912a48ae13cc4e141f04cdffbd22ff14d32113a692da9ee8
                                                                  • Opcode Fuzzy Hash: b14a4d1664afdf58b68ebf0d63cc5444e94e0968182b6f4151c4dd0a737ac5ff
                                                                  • Instruction Fuzzy Hash: 8421E3B5901248DFDB10CFAAD984ADEBBF8FB48324F14805AE954A3710D375A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03111638 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 215 3111638-31126f8 217 3112700-311272f LoadLibraryExW 215->217 218 31126fa-31126fd 215->218 219 3112731-3112737 217->219 220 3112738-3112755 217->220 218->217 219->220
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,03112531,00000800,00000000,00000000), ref: 03112722
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: f67fa9c3832bee7582a1be92af5dfd4189ad512f2e1766c09bb0a362763a1f44
                                                                  • Instruction ID: a4ab9d6f967a6ffaf48f16a9bcda7dd84387529dc73ee20da3399e776c61d60f
                                                                  • Opcode Fuzzy Hash: f67fa9c3832bee7582a1be92af5dfd4189ad512f2e1766c09bb0a362763a1f44
                                                                  • Instruction Fuzzy Hash: 591114B69002498FCB10CF9AC584ADEFBF4EB58324F04842AE855B7710C375A559CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 031126B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 223 31126b0-31126f8 225 3112700-311272f LoadLibraryExW 223->225 226 31126fa-31126fd 223->226 227 3112731-3112737 225->227 228 3112738-3112755 225->228 226->225 227->228
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,03112531,00000800,00000000,00000000), ref: 03112722
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 53e0a1addc5c5804648c0029c726201005a75cf90397cc9c9431a69ab541466e
                                                                  • Instruction ID: 97cbdf7e07970ce1d4da7a73fd5c028a1a15d63fbb01081854b31860207cab32
                                                                  • Opcode Fuzzy Hash: 53e0a1addc5c5804648c0029c726201005a75cf90397cc9c9431a69ab541466e
                                                                  • Instruction Fuzzy Hash: 001114B6D002088FCB10CFAAC544ADEFBF4EB58324F04842AE955B7710C375A549CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03112450 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 231 3112450-3112490 232 3112492-3112495 231->232 233 3112498-31124c3 GetModuleHandleW 231->233 232->233 234 31124c5-31124cb 233->234 235 31124cc-31124e0 233->235 234->235
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 031124B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 99146c2f75a6e5c55e434634a51abce1783a19d30386978ce1c72237d9eca7e3
                                                                  • Instruction ID: 19bf1e846f33b7a2d47960ae37b388abc09d906b8bb0d69f9e61f44fcb872387
                                                                  • Opcode Fuzzy Hash: 99146c2f75a6e5c55e434634a51abce1783a19d30386978ce1c72237d9eca7e3
                                                                  • Instruction Fuzzy Hash: D211DFB6D002498FDB10CF9AC444BDEFBF4AB89224F14846AD859B7A10D379A546CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755464 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 697 1755464-17554a6 call 17546b8 706 17554a8 call 1755941 697->706 707 17554a8 call 1755810 697->707 703 17554ae-17554b7 704 17554bf-17554cc 703->704 706->703 707->703
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #H
                                                                  • API String ID: 0-1464156287
                                                                  • Opcode ID: 0c5581e18d8f5815005154cd033cf952991aa0171e669dd614b9f44776e9aff4
                                                                  • Instruction ID: 3cf40417776c2db749fc945be58c1b6e88a7bfb819c9d96f7bce05656d4ecdf6
                                                                  • Opcode Fuzzy Hash: 0c5581e18d8f5815005154cd033cf952991aa0171e669dd614b9f44776e9aff4
                                                                  • Instruction Fuzzy Hash: 8DF08234B003106BF344A6748C65BAE61D79BC9744F05C02DF906EF3C4CEB49C455356
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 017546B8 Relevance: .3, Instructions: 327COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1380 17546b8-17546d5 1382 17546f7-175470a 1380->1382 1383 175470d-1754722 1382->1383 1385 1754a55-1754aa6 1383->1385 1386 1754728-1754738 1383->1386 1489 1754aa9-1754abf 1385->1489 1490 1754aa8 1385->1490 1386->1385 1388 175473e-1754743 1386->1388 1390 1754746-175474b 1388->1390 1392 17546d7-17546da 1390->1392 1394 17546e3-17546f5 1392->1394 1395 17546dc 1392->1395 1394->1392 1395->1382 1395->1383 1395->1390 1395->1394 1397 17549b4-17549b6 1395->1397 1398 17548d4-17548f3 1395->1398 1399 175485d 1395->1399 1400 17548f8-17548fa 1395->1400 1401 175489b-17548b1 1395->1401 1402 175499b-17549a1 1395->1402 1403 1754787-175478b 1395->1403 1404 1754881-1754888 1395->1404 1405 1754861-175487c 1395->1405 1406 17547e2-17547f6 1395->1406 1407 175474d-1754763 1395->1407 1408 17547ad-17547dd 1395->1408 1409 1754a2f-1754a33 1395->1409 1410 175498e-1754996 1395->1410 1421 17549d4 1397->1421 1422 17549b8-17549be 1397->1422 1398->1392 1399->1405 1414 1754916 1400->1414 1415 17548fc-1754902 1400->1415 1401->1385 1447 17548b7-17548cf 1401->1447 1419 17549a3 1402->1419 1420 17549ad-17549b2 1402->1420 1412 17547a1 1403->1412 1413 175478d-1754796 1403->1413 1423 1754894-1754899 1404->1423 1424 175488a 1404->1424 1405->1392 1450 17547fc 1406->1450 1451 17547f8-17547fa 1406->1451 1407->1385 1453 1754769-1754774 1407->1453 1408->1392 1417 1754a35-1754a3e 1409->1417 1418 1754a49 1409->1418 1410->1392 1431 17547a4-17547aa 1412->1431 1428 175479d 1413->1428 1429 1754798-175479b 1413->1429 1436 1754918-1754934 1414->1436 1433 1754904-1754906 1415->1433 1434 1754908-175490a 1415->1434 1438 1754a45 1417->1438 1439 1754a40-1754a43 1417->1439 1440 1754a4c-1754a52 1418->1440 1441 17549a8 1419->1441 1420->1441 1430 17549d6-17549f6 1421->1430 1443 17549c4-17549d0 1422->1443 1444 17549c0-17549c2 1422->1444 1445 175488f 1423->1445 1424->1445 1448 175479f 1428->1448 1429->1448 1470 1754a17 1430->1470 1471 17549f8-1754a01 1430->1471 1449 1754914 1433->1449 1434->1449 1436->1385 1464 175493a-175496a 1436->1464 1452 1754a47 1438->1452 1439->1452 1441->1392 1454 17549d2 1443->1454 1444->1454 1445->1392 1447->1392 1448->1431 1449->1436 1460 17547ff-1754820 1450->1460 1451->1460 1452->1440 1461 1754776 1453->1461 1462 1754780-1754785 1453->1462 1454->1430 1460->1385 1481 1754826-1754842 1460->1481 1465 175477b 1461->1465 1462->1465 1464->1385 1477 1754970-1754989 1464->1477 1465->1392 1476 1754a1a-1754a2a 1470->1476 1474 1754a03-1754a06 1471->1474 1475 1754a08-1754a0b 1471->1475 1480 1754a15 1474->1480 1475->1480 1476->1392 1477->1392 1480->1476 1481->1385 1488 1754848-1754858 1481->1488 1488->1392 1491 1754ac9-1754ada 1489->1491 1490->1489
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c38620a2fd6c65fbb1390af6fe237077b7f768600d271218a98eccb4b61c33e
                                                                  • Instruction ID: c2f5ae7284ff4f524f24651b3cfb36220015e34387421f2b0dd97e59347bd055
                                                                  • Opcode Fuzzy Hash: 0c38620a2fd6c65fbb1390af6fe237077b7f768600d271218a98eccb4b61c33e
                                                                  • Instruction Fuzzy Hash: A0C1A030A04158CFDF95CB98C040AADF7B2FB88344F148065E857AB345EBB4ADC1CBA6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175A4F8 Relevance: .3, Instructions: 321COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1492 175a4f8-175a508 1493 175a50e-175a512 1492->1493 1494 175a77b-175a7d3 1492->1494 1495 175a518-175a51c 1493->1495 1496 175a7da-175a832 1493->1496 1494->1496 1497 175a522-175a546 1495->1497 1498 175a839-175a891 1495->1498 1496->1498 1596 175a549 call 175ad38 1497->1596 1597 175a549 call 175ad2b 1497->1597 1521 175a898-175a948 1498->1521 1513 175a54f-175a55f 1520 175a565-175a57e 1513->1520 1513->1521 1531 175a584-175a587 1520->1531 1532 175a580 1520->1532 1534 175a58e-175a5b9 1531->1534 1535 175a589 1531->1535 1532->1531 1542 175a5d6-175a5d9 1534->1542 1543 175a5bb-175a5cb 1534->1543 1535->1534 1544 175a605-175a608 1542->1544 1545 175a5db-175a5e8 1542->1545 1543->1542 1550 175a5cd-175a5d3 1543->1550 1548 175a634-175a643 1544->1548 1549 175a60a-175a617 1544->1549 1545->1544 1555 175a5ea-175a5ee 1545->1555 1557 175a645-175a655 1548->1557 1558 175a657-175a65a 1548->1558 1549->1548 1556 175a619-175a61d 1549->1556 1550->1542 1559 175a5f0-175a5f6 1555->1559 1560 175a5ff-175a602 1555->1560 1562 175a61f-175a625 1556->1562 1563 175a62e-175a631 1556->1563 1565 175a662-175a6c0 1557->1565 1558->1565 1559->1560 1564 175a5f8-175a5fd 1559->1564 1560->1544 1562->1563 1567 175a627-175a62c 1562->1567 1563->1548 1564->1548 1578 175a6c2-175a716 1565->1578 1579 175a71e-175a72e call 1758e48 1565->1579 1567->1548 1578->1579 1598 175a730 call 175bb60 1579->1598 1599 175a730 call 175bb50 1579->1599 1584 175a736-175a747 1587 175a75e-175a761 1584->1587 1588 175a749-175a75c 1584->1588 1591 175a769-175a778 1587->1591 1588->1591 1596->1513 1597->1513 1598->1584 1599->1584
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dca1345004566481ce866a8ca9aa1545cfd12a721e72d92597d0f7ad4d74559c
                                                                  • Instruction ID: dcfa360c06e1beaabff00c24ffc246e596dfd3cd54beb4bde128d1f49d79da08
                                                                  • Opcode Fuzzy Hash: dca1345004566481ce866a8ca9aa1545cfd12a721e72d92597d0f7ad4d74559c
                                                                  • Instruction Fuzzy Hash: F7C18F30B006158FDB55DF64D954AAEBBF3FF88204F148928D5069B794CF74AC4ACBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755941 Relevance: .3, Instructions: 285COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e47162f6f0f7e7e528dc54ab6abd0e53103dbd409711082e3f455684501b2deb
                                                                  • Instruction ID: 8d4a74f3986fb8d01169d8c438ae7fc1a5d5de859f1ba2a15a9eafb1759bed13
                                                                  • Opcode Fuzzy Hash: e47162f6f0f7e7e528dc54ab6abd0e53103dbd409711082e3f455684501b2deb
                                                                  • Instruction Fuzzy Hash: 94C1FA3830054CEFD715DF68F958B997723E789318F208968DD0613B948F3DAC59DA2A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01756B40 Relevance: .3, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1d99bee6ee65ab8ec16f87d008816fe1dfe124f6e1d3bc723ee443f4dd5bfa6
                                                                  • Instruction ID: 4ca2022dbdf39a91af7cbd005391c22ddb9e9bbd0a9f26351a62f7d50c63d580
                                                                  • Opcode Fuzzy Hash: c1d99bee6ee65ab8ec16f87d008816fe1dfe124f6e1d3bc723ee443f4dd5bfa6
                                                                  • Instruction Fuzzy Hash: 06A1C174A006058FDF94CF6CC884A69FBB2FF49200B9585A9E905DB365D771EC81CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01756450 Relevance: .2, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 17f990e8703d7e64354c5abebc6838c37cd0a4170b297693218bf80797a6e11e
                                                                  • Instruction ID: cb4c011d9b9c15190b3c0f88943a9019cf3fc05520a0b255522665ac2fddadd5
                                                                  • Opcode Fuzzy Hash: 17f990e8703d7e64354c5abebc6838c37cd0a4170b297693218bf80797a6e11e
                                                                  • Instruction Fuzzy Hash: 0181B1307002159FDB45AF68D859BAEBBB7EB88745F548428FA06DB380CF709C45CB95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175BB60 Relevance: .2, Instructions: 224COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dbcfb0289f8a4dbf4b6acb945676cedae8e088f82167221670dfc496c001fa50
                                                                  • Instruction ID: 12e0bc60ab43cbca11fbc60feb03b6c55e2663b082218a9b6b2af4e7ab0b17a5
                                                                  • Opcode Fuzzy Hash: dbcfb0289f8a4dbf4b6acb945676cedae8e088f82167221670dfc496c001fa50
                                                                  • Instruction Fuzzy Hash: 2E61F4343042548FDB596B39586967EBEE7AFC5640718807EEA03CB385DFB8CC069396
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175A4EB Relevance: .2, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 700d459c26bcf0b0278d49000c0265f9037ae5e29a4ce714fada6f281b096306
                                                                  • Instruction ID: eec6742a48fdbd33bc82e6f09edb695deaae80339e04171e21313163f70def48
                                                                  • Opcode Fuzzy Hash: 700d459c26bcf0b0278d49000c0265f9037ae5e29a4ce714fada6f281b096306
                                                                  • Instruction Fuzzy Hash: 2D715F30A00715CFCB64DF64D954A9EBBF2FF88304F148A29D84697790DB74AC45DBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01756748 Relevance: .1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ab762f2cc69deba6bc52f52005fb7930c7d87246c64baedc74f1c2f6a698ba8
                                                                  • Instruction ID: 09932b62a32c748e83489b879ef9b4089b59486de58cd75ebd08ad650718db1b
                                                                  • Opcode Fuzzy Hash: 6ab762f2cc69deba6bc52f52005fb7930c7d87246c64baedc74f1c2f6a698ba8
                                                                  • Instruction Fuzzy Hash: DD5101707002448FDB55AF78989477EBBA3AB85248F44846DE90ACB382DFB49C49D791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175AD38 Relevance: .1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b7047369249b3b94f80726c98faa3d8f42fcfaa00c87476271e4b4a271ed55a
                                                                  • Instruction ID: b9d14dca385d6e1891efd9dcb30021497dd09bd9e0246d8e3aaf22a0eec19bd4
                                                                  • Opcode Fuzzy Hash: 2b7047369249b3b94f80726c98faa3d8f42fcfaa00c87476271e4b4a271ed55a
                                                                  • Instruction Fuzzy Hash: 59313730B043158FCB96DB28D84596FFBB6EF8970071985B6E806D7256DBB0EC41DB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755348 Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af4510173e015dd2e23f53c48e44fe52f548ab05eefb86b05a76935155f0ebef
                                                                  • Instruction ID: 2d6725cc5f981e1854a986fa9244cbafd59fdab95b49ad6d3897f669f5fea8fb
                                                                  • Opcode Fuzzy Hash: af4510173e015dd2e23f53c48e44fe52f548ab05eefb86b05a76935155f0ebef
                                                                  • Instruction Fuzzy Hash: 8D31CF30B00154CBE754A6B8C8107AFB5DBABC5758F14852AD90AEB385EEB4CC4543E2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 017586C8 Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a2a3e6add3b19551bf18b48ce9fe5f4beb939027f23aa7137dd650c371cdcc0c
                                                                  • Instruction ID: 5a0900e5603c461c16d450f395f905c5b5eb727291d262ead96e17a0ed59fb6a
                                                                  • Opcode Fuzzy Hash: a2a3e6add3b19551bf18b48ce9fe5f4beb939027f23aa7137dd650c371cdcc0c
                                                                  • Instruction Fuzzy Hash: D831C1317102449FDB059B79D854AAEBBF7EF89250F148069E90AEB381CF349C05CBA6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755810 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3d541366234a9f9657544f8caf32d4ef3b164a2c8854fe4e83ad6668da76545f
                                                                  • Instruction ID: 52d4e594fbda618224b37eecf2c92d7432ef016c5aef6107187ff385263f1d1c
                                                                  • Opcode Fuzzy Hash: 3d541366234a9f9657544f8caf32d4ef3b164a2c8854fe4e83ad6668da76545f
                                                                  • Instruction Fuzzy Hash: 37313C3570420ADFCB069F68D858A6EBBA3FB89210F448028FD099B350CF79DD15DB94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 017553DC Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1b8b2af15622fcb4a1d0aa7c3cbc4bcff0f6d3fb079f5da03a6b6d10ab05238c
                                                                  • Instruction ID: dbcc58b36f6a57b6f0b0670c7172e72225759cfd72ee9a8579d22d67f8e727a7
                                                                  • Opcode Fuzzy Hash: 1b8b2af15622fcb4a1d0aa7c3cbc4bcff0f6d3fb079f5da03a6b6d10ab05238c
                                                                  • Instruction Fuzzy Hash: 31317C21B040548BE794A6B8D42076FA1CBAFD5788F198129D50AEF7C9EEB8CC4543E2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755343 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cd9ab178d77e3ef726c8bebf4e7b7024885019baf1f73a811ff54efb6a6bc0da
                                                                  • Instruction ID: 7dcdcea654ec36f7754b5015674908cc8c43cc34e0c8e013524661e9b4be32d2
                                                                  • Opcode Fuzzy Hash: cd9ab178d77e3ef726c8bebf4e7b7024885019baf1f73a811ff54efb6a6bc0da
                                                                  • Instruction Fuzzy Hash: 5921B131B001589BE758A668C810B6FB5DBAFD5358F148139D90AEB3C5EEB4DC4543E2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755630 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4d43582a78bfa89bf103faeabc4cfb429c7053c52ff1f41b035e146d4d80d1e9
                                                                  • Instruction ID: c5be32a7628c1c669d24066ebc173627356517c9f8a85ce535bbe9827f477671
                                                                  • Opcode Fuzzy Hash: 4d43582a78bfa89bf103faeabc4cfb429c7053c52ff1f41b035e146d4d80d1e9
                                                                  • Instruction Fuzzy Hash: 3F318134B50305EFEB099B70986ABAE7A63AB88700F10C02DF903AB3C1CE759C419754
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175E9C0 Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1c5dc154dc0905e3dc7897584a8da180512c663780628194ad1b6917756ca08
                                                                  • Instruction ID: a978ffe6730e1240697380ca7a54d329650a878eee26a0f15554dc55cf85d252
                                                                  • Opcode Fuzzy Hash: a1c5dc154dc0905e3dc7897584a8da180512c663780628194ad1b6917756ca08
                                                                  • Instruction Fuzzy Hash: 27217C31E052648BDFA59638844027EFB76EF86594F1880BACD045B346DFB39E42C3D2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 016FD3B4 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416268003.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_16fd000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bbd19b9d3bfd0f7b9ea24eafce3086e5ea430dd2fdc648dc9080ab3d6704a9b1
                                                                  • Instruction ID: 192e8e8cf96607de5a0e31ea5c8aa24abea63382af1a9c09ce73a8164b440821
                                                                  • Opcode Fuzzy Hash: bbd19b9d3bfd0f7b9ea24eafce3086e5ea430dd2fdc648dc9080ab3d6704a9b1
                                                                  • Instruction Fuzzy Hash: 4F21D672504240DFDB05DF54D9C0B9ABB65FB88324F24C56DEA094B746C336F85AC7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 017569A8 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ddb19c9dc7d7301dfa57ef58b1e494c8e2d21d07236a6c6abe020a1a372f21b3
                                                                  • Instruction ID: 59e34f59fc3acb6b0837f0039bee529fc88af2ae0553629d90000204eadd2a7c
                                                                  • Opcode Fuzzy Hash: ddb19c9dc7d7301dfa57ef58b1e494c8e2d21d07236a6c6abe020a1a372f21b3
                                                                  • Instruction Fuzzy Hash: A921AC35700621CBC7659A6AD858A2AFBA2FB8965574581BDFA06DB384CF70DC02CBC0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0170D030 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416333999.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_170d000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a310c0a340b9b31c234c61116a908e2b1ae76f5149db870f54ff8cacbd58b61
                                                                  • Instruction ID: 789911e7f83358ff70b9ca2351aba487d35c71582992b2bc69caf3c505f77ce1
                                                                  • Opcode Fuzzy Hash: 3a310c0a340b9b31c234c61116a908e2b1ae76f5149db870f54ff8cacbd58b61
                                                                  • Instruction Fuzzy Hash: EE2125B1504344DFDB22DF94D9C0B16FBA1FB88364F24C5A9D84D4B786C376D84ACA61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0170D1E8 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416333999.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_170d000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 38769ec45fd611effd58a758b01bd01dbbc217f3642db1286a293612aa2189bd
                                                                  • Instruction ID: 72ff6fd2c80ca5668503cf9b4cbfa32a13ae5ce8c2183854bdc482a35e098071
                                                                  • Opcode Fuzzy Hash: 38769ec45fd611effd58a758b01bd01dbbc217f3642db1286a293612aa2189bd
                                                                  • Instruction Fuzzy Hash: CE21D3B5508340DFDB12CFD4D5C4B26FBA5FB88324F24C9A9D8094B786C376D846CAA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175D408 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57f84a2158bb75945632d7a8b39b3fbeb4140dd274ab4c7ebcc51b9144768fd7
                                                                  • Instruction ID: 5caeb5d5299d84be939fa828cbddeb476a3700d7af5c5847bf754549f0e9fd4e
                                                                  • Opcode Fuzzy Hash: 57f84a2158bb75945632d7a8b39b3fbeb4140dd274ab4c7ebcc51b9144768fd7
                                                                  • Instruction Fuzzy Hash: 8F119631B04114CBD7B4CA9DD8406EAFBE6EB89310F05817AED0AD7300D2B2BD408792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01756997 Relevance: .1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f3055065cc88c7aa1d4a006d2fe0416124b9cb923aead5bfc2979073d70f69a
                                                                  • Instruction ID: f84b8004d727671683e4d4e1973f3da04966735ff3e67074e04b8430552d4129
                                                                  • Opcode Fuzzy Hash: 7f3055065cc88c7aa1d4a006d2fe0416124b9cb923aead5bfc2979073d70f69a
                                                                  • Instruction Fuzzy Hash: F111DD317047118FC7665A3ED89882AFFB6BF8625034980ADF946DB392CF70DC028790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 017586B8 Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 07245a9c5538dfe72a851de69f6bde1710187601fed8968171a4984bb1f84d92
                                                                  • Instruction ID: 012ba2dca22b0f00deb5c655787f577d9b301a67fdb59f8289bd6d2b47885eac
                                                                  • Opcode Fuzzy Hash: 07245a9c5538dfe72a851de69f6bde1710187601fed8968171a4984bb1f84d92
                                                                  • Instruction Fuzzy Hash: AB11B135B10208ABDB108E6ADC45BDEBBF9FB8C310F108465F916E3351DAB1AC11CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01756440 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 47a4a4cd9a41fce5946176539cf6d4cc8dc49d617760632f6a1f1c3dcb8c3292
                                                                  • Instruction ID: 3df3970788ffad7b81cde24578b9215e00245cc7c1f84853bb7d0d6d6cb24e0c
                                                                  • Opcode Fuzzy Hash: 47a4a4cd9a41fce5946176539cf6d4cc8dc49d617760632f6a1f1c3dcb8c3292
                                                                  • Instruction Fuzzy Hash: 1A11E230B04610CFCBA49E18D458A29FFA3EB84711F948069FE099B351EBB0ED44C7D2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01754590 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2245d0905e2de877c57306d4531c22219ec3d138f0bdbce942dc37578fd48d02
                                                                  • Instruction ID: 45c87e642bb7715b4676ba17f2c3c57fa63efd4cf6ec54c21982c8efe8aabc97
                                                                  • Opcode Fuzzy Hash: 2245d0905e2de877c57306d4531c22219ec3d138f0bdbce942dc37578fd48d02
                                                                  • Instruction Fuzzy Hash: A6119D30B14210DFDB549BA8C444779B7A6EF85704F1140AAEA03CB796EFB9CC818B92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175E7B8 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ab1c95b5963499883d03d30cf7e6e3f9d2a2b04952d68049f902c9bc9ddfbf6
                                                                  • Instruction ID: 86a12744eda481570ceee525c293e32e509c7c9938af19b9c657de37a9f0d598
                                                                  • Opcode Fuzzy Hash: 4ab1c95b5963499883d03d30cf7e6e3f9d2a2b04952d68049f902c9bc9ddfbf6
                                                                  • Instruction Fuzzy Hash: 28110D71E0021A9FCB14DF99D845AEEFBF5FB88210F10842AE915E3240DBB49A15CBE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175465B Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 39dc82b2dc0293eb7b233ab6a3b96f9b7fda63d1abf27414429587be998f195e
                                                                  • Instruction ID: f9a79a2dcf0198368304afddf029a0f1994909c425a58e098865c5fb7bc39fa0
                                                                  • Opcode Fuzzy Hash: 39dc82b2dc0293eb7b233ab6a3b96f9b7fda63d1abf27414429587be998f195e
                                                                  • Instruction Fuzzy Hash: BA119E30714200DFDB989B78D4586397692EB80349F1184A6EA03CBBA5EFB9CCC58752
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 016FD3AF Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416268003.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_16fd000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 939b8f6cb92a788342e5b4ce8085052b16ec77100d7f5ff06dca7e4d14cb17ff
                                                                  • Instruction ID: 687eaca6abe1a321bc7b4edf1cf5522eb8d530ed883832333cc67b4cd7a97c64
                                                                  • Opcode Fuzzy Hash: 939b8f6cb92a788342e5b4ce8085052b16ec77100d7f5ff06dca7e4d14cb17ff
                                                                  • Instruction Fuzzy Hash: 2111DF76404280CFDB02CF54D9C0B56BF71FB88324F24C6ADD9440B616C336E456CBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0170D1E3 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416333999.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_170d000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 914b47b52eb416d8c2029453fd14364f30e4d74c62ff008a8db9dda63a452011
                                                                  • Instruction ID: b4cde3beb8aaf777ea6f37e2c3b65054efdcc50a05ad1d8922c495de7501949d
                                                                  • Opcode Fuzzy Hash: 914b47b52eb416d8c2029453fd14364f30e4d74c62ff008a8db9dda63a452011
                                                                  • Instruction Fuzzy Hash: 09117C75508380DFDB12CF94D584B15FBA1EB48324F28C6A9D8494B696C33AD45ACB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0170D02B Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416333999.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_170d000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 914b47b52eb416d8c2029453fd14364f30e4d74c62ff008a8db9dda63a452011
                                                                  • Instruction ID: cc2fb0f87ff70efd7a645ba333d2c4274629edb44ff9bef4dd2d0623a8af1a66
                                                                  • Opcode Fuzzy Hash: 914b47b52eb416d8c2029453fd14364f30e4d74c62ff008a8db9dda63a452011
                                                                  • Instruction Fuzzy Hash: 4211A975504380CFDB22CF94D5D0B15FBB1EB88224F28C6AAD8494B696C33AD44ACB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 016FD85D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416268003.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_16fd000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ebb22384381308cb7e76162eb41aec4084727c1561e3d69ac89e642613b7bdc4
                                                                  • Instruction ID: 7f5d59adf5cc89ae6fa2d62fc8744080ecc9d71e1187cd4e0b3f3042ead4a7b6
                                                                  • Opcode Fuzzy Hash: ebb22384381308cb7e76162eb41aec4084727c1561e3d69ac89e642613b7bdc4
                                                                  • Instruction Fuzzy Hash: 90012B31508384EAE7105B55DC807A6BBD8EF41278F08C55DEE1D5B786C375B84DC6B1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0175F220 Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 19f0c60e0bb5dc25630dfd646af29733b7cb18a3b30c74cc2d302a4fc9707410
                                                                  • Instruction ID: a69c34b70ec4c32428f7b7666c437479834d04f90dfe20bff69d847b91237b36
                                                                  • Opcode Fuzzy Hash: 19f0c60e0bb5dc25630dfd646af29733b7cb18a3b30c74cc2d302a4fc9707410
                                                                  • Instruction Fuzzy Hash: 25F0AF71B0420A8BDB94EEACA80866EBBF6EBD82A0F444429ED14D3344DFB0DD058791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01753F98 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f82ba20e5ca52005cf11a4006530269e433e5c700450141415dad86e2b0dcad
                                                                  • Instruction ID: 2e13020e57c5615a618693c17c3e17a8a5decba820ebac33d2ecac491a5c85fd
                                                                  • Opcode Fuzzy Hash: 2f82ba20e5ca52005cf11a4006530269e433e5c700450141415dad86e2b0dcad
                                                                  • Instruction Fuzzy Hash: AC01E574E04219AFCB40EFA8D9505DEBBF2EB48204F1089AAC119AB754EB345E099F81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 016FD85C Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416268003.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_16fd000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c862b6945ece749758e2093c8d2adcb56faea662d286f304417b22a8aa743477
                                                                  • Instruction ID: 88be3b170f19653fe6e21dea17d67e76d8a7f98ee153280741f8a549f0ea5dc0
                                                                  • Opcode Fuzzy Hash: c862b6945ece749758e2093c8d2adcb56faea662d286f304417b22a8aa743477
                                                                  • Instruction Fuzzy Hash: 96F0C2715042849EE7108A19CC84BA6FFA8EB41634F18C55AEE181B382C379A848CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 017555E1 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7c3f28f79f120d9d9ed8fc38ce6f2d3a412b6f5e4ce3d6414e14fd9da062ed34
                                                                  • Instruction ID: 81a0d67e275e1654145802d91bd85a9d80e600c9e372bddf8d299ba410590f7c
                                                                  • Opcode Fuzzy Hash: 7c3f28f79f120d9d9ed8fc38ce6f2d3a412b6f5e4ce3d6414e14fd9da062ed34
                                                                  • Instruction Fuzzy Hash: 3CF0FE74A11204DFCB05CBA4C54AB9DFFB2BB48700F248556F905EB382DA74AD80CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755555 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 364d989a2d3aa7e3a1b3d92503608b8952427b55d95b0ac651c46810f6a55813
                                                                  • Instruction ID: 7b93fdef731512da06cf447f66e0bc2f2478f943ad003202b7bc9792eff89e6b
                                                                  • Opcode Fuzzy Hash: 364d989a2d3aa7e3a1b3d92503608b8952427b55d95b0ac651c46810f6a55813
                                                                  • Instruction Fuzzy Hash: D5E0227164020A8FC704CF94C8C16EEBBFEFF89344F10402AE415DF240C7B082469B61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 017555A7 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8dff5d7555a7c23fa5c44eccce714ed666064f3dc1858954e0078fd76ef0febb
                                                                  • Instruction ID: 5fd66ca0247b5064a569dbfd9414002bd8808895be5037d58e46c845a128d70e
                                                                  • Opcode Fuzzy Hash: 8dff5d7555a7c23fa5c44eccce714ed666064f3dc1858954e0078fd76ef0febb
                                                                  • Instruction Fuzzy Hash: 27E0EC39B51205DFDB04CBA4D90AB6DBBB1BB88700F24C055FD06EB381DEB4AD419B54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01755771 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416480824.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1750000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b94fd1f7c4e5160f293d07284a0fa0dad9c79694170477f662f85e8b6c056f0a
                                                                  • Instruction ID: 96060b43b19606e677ab061110ec3c3a7ddcb881930eff23687e337478c17d34
                                                                  • Opcode Fuzzy Hash: b94fd1f7c4e5160f293d07284a0fa0dad9c79694170477f662f85e8b6c056f0a
                                                                  • Instruction Fuzzy Hash: 3AD012703541809BF708DE10C1A6B367752EB91254F118169AE068F7D6CA79CD82C6A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 03116ED8 Relevance: .3, Instructions: 315COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9560e3b67da079c009b244706e5bd7e4e851bcb66f69454e8e476182b9046164
                                                                  • Instruction ID: acbdffc9beb7ee682dff2aac4670cae7324b588edf8f71be6c7bedaacab111bf
                                                                  • Opcode Fuzzy Hash: 9560e3b67da079c009b244706e5bd7e4e851bcb66f69454e8e476182b9046164
                                                                  • Instruction Fuzzy Hash: BD12B8F14117468BD318EFA5E9981893B73F74A328F906308D2A15FAD9D7B811CACF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03114D3C Relevance: .3, Instructions: 265COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2fe1c794a30c29cbd504bd3c05b9ac25ec966ab52d18df33d644e14911328b28
                                                                  • Instruction ID: 8970103b07ccdb6ab1333eee124fae71bacaee175be52da4d2cd7a62124997bb
                                                                  • Opcode Fuzzy Hash: 2fe1c794a30c29cbd504bd3c05b9ac25ec966ab52d18df33d644e14911328b28
                                                                  • Instruction Fuzzy Hash: DEA17C36E00619CFCF19DFB5C8445DEBBB2FF88300B15817AE905AB220EB75A965CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03116EC8 Relevance: .2, Instructions: 221COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.416764271.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Offset: 03110000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_3110000_Dhl.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 04324706c5839ec62c525ac5d3ebf0ebfcb2d6c356e582d53ddc2d1abbcc1890
                                                                  • Instruction ID: e469b4753fc01cd7e9e326f6f006c5ed0062e9688222bbe200784fbeae6c1229
                                                                  • Opcode Fuzzy Hash: 04324706c5839ec62c525ac5d3ebf0ebfcb2d6c356e582d53ddc2d1abbcc1890
                                                                  • Instruction Fuzzy Hash: 8BC14DB18117468BD718EFA5EC881897B73FB8E328F545308D1616B6D8D7B814CACFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%