Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Dhl.exe

Overview

General Information

Sample Name:Dhl.exe
Analysis ID:778242
MD5:6a2bcefb53b034548874a53d22982949
SHA1:63793181c397deb869c4f91841389ac21dc36b0c
SHA256:5e395b61e0ed45f930033b90cec01953a40b565751e727801ced6528aeb322f1
Tags:exe
Infos:

Detection

DarkTortilla
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkTortilla Crypter
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Dhl.exe (PID: 4460 cmdline: C:\Users\user\Desktop\Dhl.exe MD5: 6A2BCEFB53B034548874A53D22982949)
    • cmd.exe (PID: 4424 cmdline: cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 676 cmdline: ping 127.0.0.1 -n 43 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 2396 cmdline: ping 127.0.0.1 -n 43 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000000.00000002.422138372.000000000439E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000000.00000002.419766240.0000000003573000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        00000000.00000002.417679179.000000000336E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          00000000.00000002.422650649.0000000004486000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Machine Learning detection for sample
            Source: Dhl.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Adobe.exeJoe Sandbox ML: detected
            Source: Dhl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.250.184.36:443 -> 192.168.2.5:49702 version: TLS 1.2
            Source: Dhl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Close
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Dhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Dhl.exe, 00000000.00000003.308007193.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: Dhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com1
            Source: Dhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306865263.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comK
            Source: Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comW
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-u
            Source: Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comy
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
            Source: Dhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Dhl.exe, 00000000.00000003.312935379.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
            Source: Dhl.exe, 00000000.00000003.309987554.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Dhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312268786.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: Dhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlH
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311215416.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Dhl.exe, 00000000.00000003.310095952.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Dhl.exe, 00000000.00000003.310692246.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
            Source: Dhl.exe, 00000000.00000003.320097030.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
            Source: Dhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerserso
            Source: Dhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerso
            Source: Dhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
            Source: Dhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310343508.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF/
            Source: Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314121536.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314373858.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comM
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
            Source: Dhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312218165.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312281638.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomF
            Source: Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdTTF
            Source: Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331678024.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332826630.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332437472.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.334445936.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.415069105.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come
            Source: Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311873693.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed_
            Source: Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
            Source: Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitud
            Source: Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitum
            Source: Dhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comnc.F
            Source: Dhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtalik
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: Dhl.exe, 00000000.00000003.305686099.0000000006E34000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305386586.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305516963.0000000006E3D000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305266367.0000000006E69000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305240761.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Dhl.exe, 00000000.00000003.305033442.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/H;
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
            Source: Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
            Source: Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
            Source: Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
            Source: Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com//
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Dhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Dhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308469112.0000000006E64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
            Source: Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lic
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
            Source: Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Dhl.exe, 00000000.00000003.317270717.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317561165.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316536438.0000000006E70000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317018687.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316610467.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317719741.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316754232.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317456787.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316467807.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317190635.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316919935.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317636189.0000000006E6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308059633.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308040298.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: Dhl.exe, 00000000.00000003.307235075.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307127047.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comR
            Source: Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comslnt
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: Dhl.exe, 00000000.00000003.309694747.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Dhl.exe, 00000000.00000003.313532650.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313382330.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313619459.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deeg_ia
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.Q
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnoth
            Source: Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cntyp6
            Source: Dhl.exe, 00000000.00000002.417121586.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.417185610.00000000032D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/other
            Source: Dhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Close
            Source: unknownHTTPS traffic detected: 142.250.184.36:443 -> 192.168.2.5:49702 version: TLS 1.2

            System Summary

            barindex
            .NET source code contains very large array initializations
            Source: Dhl.exe, r6M/z2P.csLarge array initialization: k7ADe: array initializer size 186880
            Source: Dhl.exe, Nd8/c1K.csLarge array initialization: .cctor: array initializer size 2038
            Source: 0.0.Dhl.exe.ba0000.0.unpack, r6M/z2P.csLarge array initialization: k7ADe: array initializer size 186880
            Source: 0.0.Dhl.exe.ba0000.0.unpack, Nd8/c1K.csLarge array initialization: .cctor: array initializer size 2038
            Source: Adobe.exe.1.dr, r6M/z2P.csLarge array initialization: k7ADe: array initializer size 186880
            Source: Adobe.exe.1.dr, Nd8/c1K.csLarge array initialization: .cctor: array initializer size 2038
            Source: Dhl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_0175E860
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_01756E18
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_01757A40
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03116ED8
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03116EC8
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03114D3C
            Source: Dhl.exe, 00000000.00000002.423975925.0000000006940000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArgenTINA.dll$ vs Dhl.exe
            Source: Dhl.exe, 00000000.00000002.421528120.0000000004291000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArgenTINA.dll$ vs Dhl.exe
            Source: Dhl.exe, 00000000.00000000.292773300.0000000000C46000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameData Encoder.exeJ vs Dhl.exe
            Source: Dhl.exeBinary or memory string: OriginalFilenameData Encoder.exeJ vs Dhl.exe
            Source: Dhl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Dhl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\Dhl.exe C:\Users\user\Desktop\Dhl.exe
            Source: C:\Users\user\Desktop\Dhl.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Users\user\Desktop\Dhl.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Users\user\Desktop\Dhl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
            Source: Adobe.lnk.0.drLNK file: ..\..\..\..\..\Adobe.exe
            Source: C:\Users\user\Desktop\Dhl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnkJump to behavior
            Source: classification engineClassification label: mal72.troj.evad.winEXE@8/6@1/2
            Source: C:\Users\user\Desktop\Dhl.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: Dhl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\Dhl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
            Source: C:\Users\user\Desktop\Dhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: Dhl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Dhl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected DarkTortilla Crypter
            Source: Yara matchFile source: 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.422138372.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.419766240.0000000003573000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.417679179.000000000336E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.422650649.0000000004486000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Dhl.exe PID: 4460, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_0175C702 push 8B000005h; retf
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_0175CD9C push ebp; retf
            Source: C:\Users\user\Desktop\Dhl.exeCode function: 0_2_03111A10 push E005DB04h; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.078604827515667
            Source: initial sampleStatic PE information: section name: .text entropy: 7.078604827515667
            Source: Dhl.exe, r6M/z2P.csHigh entropy of concatenated method names: '.ctor', 'So7', 'x0Y', 'i5D8Z', 'b2NFy', 'Ta09Q', 'Rc7a8', 'y0BKe', 't7LCm', 'Et46B'
            Source: 0.0.Dhl.exe.ba0000.0.unpack, r6M/z2P.csHigh entropy of concatenated method names: '.ctor', 'So7', 'x0Y', 'i5D8Z', 'b2NFy', 'Ta09Q', 'Rc7a8', 'y0BKe', 't7LCm', 'Et46B'
            Source: Adobe.exe.1.dr, r6M/z2P.csHigh entropy of concatenated method names: '.ctor', 'So7', 'x0Y', 'i5D8Z', 'b2NFy', 'Ta09Q', 'Rc7a8', 'y0BKe', 't7LCm', 'Et46B'
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Adobe.exeJump to dropped file
            Source: C:\Users\user\Desktop\Dhl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnkJump to behavior
            Source: C:\Users\user\Desktop\Dhl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\Dhl.exeFile opened: C:\Users\user\Desktop\Dhl.exe\:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Dhl.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Uses ping.exe to sleep
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Users\user\Desktop\Dhl.exe TID: 4588Thread sleep time: -23980767295822402s >= -30000s
            Source: C:\Users\user\Desktop\Dhl.exe TID: 4588Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\PING.EXE TID: 1428Thread sleep count: 41 > 30
            Source: C:\Windows\SysWOW64\PING.EXE TID: 1428Thread sleep time: -41000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Users\user\Desktop\Dhl.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Dhl.exeWindow / User API: threadDelayed 9821
            Source: C:\Users\user\Desktop\Dhl.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\Dhl.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Dhl.exeThread delayed: delay time: 30000
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTrayH
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
            Source: Dhl.exe, 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTrayHp
            Source: C:\Users\user\Desktop\Dhl.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Dhl.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\Dhl.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 43
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Users\user\Desktop\Dhl.exe VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Dhl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium11
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer3
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Hidden Files and Directories            		LSA Secrets11
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common2
            Obfuscated Files or Information            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Software Packing            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
            System Information Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Dhl.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Adobe.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.comessed0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.fontbureau.comgrito0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
            http://www.carterandcone.comW0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn00%URL Reputationsafe
            http://www.fontbureau.comdTTF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
            http://www.carterandcone.comy0%URL Reputationsafe
            http://www.fontbureau.comcomF0%URL Reputationsafe
            http://www.founder.com.cn/cn80%URL Reputationsafe
            http://www.fontbureau.comals0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
            http://www.fontbureau.comitud0%URL Reputationsafe
            http://www.carterandcone.comn-u0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/F0%URL Reputationsafe
            https://csp.withgoogle.com/csp/report-to/gws/other0%URL Reputationsafe
            http://www.carterandcone.com10%URL Reputationsafe
            http://www.founder.com.cn/cn/H;0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/90%URL Reputationsafe
            http://www.founder.com.cn/cnD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.founder.com.cn/cnh0%URL Reputationsafe
            http://www.carterandcone.comK0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.tiro.comslnt0%URL Reputationsafe
            http://www.fontbureau.comM0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.coma0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.come0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.zhongyicts.com.cno.0%URL Reputationsafe
            http://www.zhongyicts.com.cntyp60%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmo0%Avira URL Cloudsafe
            http://www.fontbureau.comitum0%Avira URL Cloudsafe
            http://www.fontbureau.comessed_0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cno.Q0%Avira URL Cloudsafe
            http://www.fontbureau.comnc.F0%Avira URL Cloudsafe
            http://www.urwpp.deeg_ia0%Avira URL Cloudsafe
            http://www.fontbureau.comF/0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cnoth0%Avira URL Cloudsafe
            http://www.galapagosdesign.com//0%Avira URL Cloudsafe
            http://www.fontbureau.comtalik0%Avira URL Cloudsafe
            http://www.tiro.comR0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/lic0%Avira URL Cloudsafe
            http://www.galapagosdesign.com//0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.google.com
            		142.250.184.36
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://www.google.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.founder.com.cn/cn/H;Dhl.exe, 00000000.00000003.305033442.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comessed_Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designersDhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comessedDhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311873693.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/9Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.comDhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/cTheDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/8Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersersDhl.exe, 00000000.00000003.320097030.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp//Dhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308469112.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311766107.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.galapagosdesign.com/DPleaseDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/Y0Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comgritoDhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.ascendercorp.com/typedesigners.htmlDhl.exe, 00000000.00000003.308007193.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnDhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDhl.exe, 00000000.00000002.416987697.0000000003291000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.galapagosdesign.com/Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/WDhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cntyp6Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.comWDhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comitumDhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/PDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/FDhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cno.QDhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmoDhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.come.comDhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn0Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311215416.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comdTTFDhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/tDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0/Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comyDhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comcomFDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312218165.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312281638.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn8Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/pDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.fontbureau.comalsDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/cDhl.exe, 00000000.00000003.307697237.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersersoDhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comitudDhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersHDhl.exe, 00000000.00000003.310692246.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310752222.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.carterandcone.comn-uDhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/?Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/FDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersCDhl.exe, 00000000.00000003.310095952.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://csp.withgoogle.com/csp/report-to/gws/otherDhl.exe, 00000000.00000002.417121586.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.417185610.00000000032D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.com1Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comnc.FDhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.goodfont.co.krDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comDhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306883065.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/9Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnDDhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmDhl.exe, 00000000.00000003.315304297.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315203493.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDhl.exe, 00000000.00000003.309694747.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comF/Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sakkal.comDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308059633.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.308040298.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designersoDhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnhDhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designerstDhl.exe, 00000000.00000003.310624777.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.comKDhl.exe, 00000000.00000003.306436619.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306865263.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306606893.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306717911.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.apache.org/licenses/LICENSE-2.0Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310002435.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.urwpp.deeg_iaDhl.exe, 00000000.00000003.313532650.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313382330.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313276635.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313619459.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313444463.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.fontbureau.comFDhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312057212.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311813768.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310343508.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311983792.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312128474.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cnothDhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tiro.comslntDhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comMDhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314315986.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314023655.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314268300.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314121536.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.314373858.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/Dhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comaDhl.exe, 00000000.00000003.312467456.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312953953.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313028049.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313908563.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312775137.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313958365.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313636686.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313400405.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313580623.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313457659.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313711101.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313217540.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313331862.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312573902.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312696214.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313849181.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312352888.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.313154841.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312844737.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comdDhl.exe, 00000000.00000003.311148414.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310793241.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311261907.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311389362.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311642222.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311728773.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311043155.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310637019.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310908506.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311312726.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311099099.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311182437.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311493245.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310706869.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310990399.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.311595620.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310853172.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNDhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com//Dhl.exe, 00000000.00000003.315100802.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnDhl.exe, 00000000.00000003.305686099.0000000006E34000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.306112483.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305649522.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305386586.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305921064.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305479451.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305540146.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305721185.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305842145.0000000006E59000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305516963.0000000006E3D000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305266367.0000000006E69000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305240761.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.305979176.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers-Dhl.exe, 00000000.00000003.312935379.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comeDhl.exe, 00000000.00000003.320496151.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320208669.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320313286.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332039121.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.414595334.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320041131.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331678024.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332826630.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320945244.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.332437472.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.331235256.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.334445936.0000000006E65000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.415069105.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320117656.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.330794766.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.320702302.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlDhl.exe, 00000000.00000003.312451218.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312337645.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312268786.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comtalikDhl.exe, 00000000.00000003.310163535.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310288598.0000000006E64000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.310110673.0000000006E64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.monotype.Dhl.exe, 00000000.00000003.317270717.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317561165.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316536438.0000000006E70000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317018687.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316610467.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317719741.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316754232.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317456787.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316467807.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317190635.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.316919935.0000000006E6F000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.317636189.0000000006E6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.tiro.comRDhl.exe, 00000000.00000003.307235075.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307127047.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.307036215.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Dhl.exe, 00000000.00000003.307600350.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cno.Dhl.exe, 00000000.00000003.306308445.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8Dhl.exe, 00000000.00000002.424874772.0000000007042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/Dhl.exe, 00000000.00000003.309987554.0000000006E5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/licDhl.exe, 00000000.00000003.307848197.0000000006E59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlHDhl.exe, 00000000.00000003.312111053.0000000006E5B000.00000004.00000800.00020000.00000000.sdmp, Dhl.exe, 00000000.00000003.312200037.0000000006E5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                142.250.184.36
                                                                		www.google.comUnited States
                                                                		15169GOOGLEUSfalse

                                                                Private

                                                                IP
                                                                127.0.0.1

                                                                General Information

                                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                Analysis ID:778242
                                                                Start date and time:2023-01-05 09:21:16 +01:00
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 7m 27s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:Dhl.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:8
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal72.troj.evad.winEXE@8/6@1/2
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HDC Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 99%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                09:22:32API Interceptor208x Sleep call for process: Dhl.exe modified
                                                                09:22:36AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnk

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASNs

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dhl.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Dhl.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1216
                                                                Entropy (8bit):5.355304211458859
                                                                Encrypted:false
                                                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHY
                                                                MD5:45A1687CECD48F6A4A90071C96E50E41
                                                                SHA1:DF49ED05380F17EB14F2B87F051676E8B681E7E2
                                                                SHA-256:05DABE990DCB3015952FAA3AE9AD3E43F70FF3BDB2E17E3B7A183CBDCDAF7C49
                                                                SHA-512:1E0683F03744B715EC699179412C4E1BF44ED1D98F4ACE22366FB860773C8FF6A02D809BCAA1170BDD712B94A3FFBB9990ED0E9BD494E4622E37D3A5CDED332B
                                                                Malicious:true
                                                                Reputation:moderate, very likely benign file
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                C:\Users\user\AppData\Roaming\Adobe.exe

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):842752
                                                                Entropy (8bit):6.816319529583852
                                                                Encrypted:false
                                                                SSDEEP:12288:Kr1ttVPPvGYLHicNzGE1H6E1H6E1H6E1HsE1HQ8chPkwDQOuNbJ3XVkHvxJz1f2u:KrbvG8C7uH6uH6uH6uHsuHSkwi0c
                                                                MD5:6A2BCEFB53B034548874A53D22982949
                                                                SHA1:63793181C397DEB869C4F91841389AC21DC36B0C
                                                                SHA-256:5E395B61E0ED45F930033B90CEC01953A40B565751E727801CED6528AEB322F1
                                                                SHA-512:7A8BE43BB7F1F371BB20EEF895CE403402D11823C1014212D6A44674D6E9819EEC2B7FE1252068FA45F651B2652B8F97C2307ABF90BC70D2DE67EACD5E4856F2
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                Reputation:low
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.1.............................K... ...`....@.. .......................@............`..................................K..W....`...................... ....................................................... ............... ..H............text....,... ...................... ..`.rsrc.......`.......0..............@..@.reloc....... ......................@..B.................K......H............8......;.......r............................................V@.~n....................vG..../._.2.n.g".....f.B.9..|.#.j...........T<.x..Q...L..`.8|""...<k".(..&..aU>."i.6.~...}6y.. .n.gO. V.D...x l".......LD...w!..ei.........,.6\.W...k..a....Q..0ur....WAY.x.?-n....kv.5m.+.<.I.dcz.kiUp...-...:..?@.64...O..;...".5...r&..^}3..N.9'.5=mN......{R.v..15.......#.....7\..d=..../.Z6J..l:.......X..d..(...QW%.b....].....=c...U.O..8..A.T&.l&..=.X.7.$..h{z.

                                                                C:\Users\user\AppData\Roaming\Adobe.exe:Zone.Identifier

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.lnk

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Dhl.exe
                                                                File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                Category:dropped
                                                                Size (bytes):888
                                                                Entropy (8bit):3.0964643635058136
                                                                Encrypted:false
                                                                SSDEEP:12:8wl0hsXU1e/tz0/CSLiN79NMJYgCNfBf4t2Y+xIBjK:8yvWLnSpj7aB
                                                                MD5:C3EA211B60112431AFF49E82AF924298
                                                                SHA1:3F1C845CFEF7B8426E93C23D6895FA5C1222483C
                                                                SHA-256:53FB069F843AEC8118F8C792383467D95913B1B5233A4AFAF19BD799D04545E6
                                                                SHA-512:C5CE3E5E6C9F7F048332E26A0B8C0EE56AD6EFA013EDF2CF1198D2F81A08A0DDD220B9E59AAB4AAA00BEC196DCF7DB6D75FEA228045BB7658699E6D691BAB14E
                                                                Malicious:false
                                                                Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.2...........Adobe.exe.D............................................A.d.o.b.e...e.x.e.............\.....\.....\.....\.....\.A.d.o.b.e...e.x.e.).C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.A.d.o.b.e...e.x.e.............}.............>.e.L.:..er.=}...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

                                                                \Device\Null

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\PING.EXE
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1269
                                                                Entropy (8bit):4.6333041134432005
                                                                Encrypted:false
                                                                SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTO:/4
                                                                MD5:547F93F8C190FF60B69925BE7F19A99C
                                                                SHA1:7154358994ABEC65BBB6037CBEB6A7AAB778EE24
                                                                SHA-256:AEA40E2666479E251DC673126D613711534506D13FDC738297A706D517455459
                                                                SHA-512:77DABD91F9711F3F54CEEF03843D075F3907E9B84102A2884DC3DBA5B6870A984E4C7126E007D06FEAF3F893039F3C8A9C0E94D3592A0E6E56566C49295862C4
                                                                Malicious:false
                                                                Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.816319529583852
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:Dhl.exe
                                                                File size:842752
                                                                MD5:6a2bcefb53b034548874a53d22982949
                                                                SHA1:63793181c397deb869c4f91841389ac21dc36b0c
                                                                SHA256:5e395b61e0ed45f930033b90cec01953a40b565751e727801ced6528aeb322f1
                                                                SHA512:7a8be43bb7f1f371bb20eef895ce403402d11823c1014212d6a44674d6e9819eec2b7fe1252068fa45f651b2652b8f97c2307abf90bc70d2de67eacd5e4856f2
                                                                SSDEEP:12288:Kr1ttVPPvGYLHicNzGE1H6E1H6E1H6E1HsE1HQ8chPkwDQOuNbJ3XVkHvxJz1f2u:KrbvG8C7uH6uH6uH6uHsuHSkwi0c
                                                                TLSH:6805BE971663BFD9C0718678E261CCE423B17E3900D08BEE69E41395D6E3A5B7A3384D
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.1.............................K... ...`....@.. .......................@............`................................

                                                                File Icon

                                                                Icon Hash:e0c6b2321282c4e0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4a4bfe
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x31DA6D85 [Wed Jul 3 12:54:29 1996 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa4ba40x57.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x2a9ea.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000xa2c040xa2e00False0.6488527076937836data7.078604827515667IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xa60000x2a9ea0x2aa00False0.23383660190615835data4.835402900266054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xd20000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0xa64c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640
                                                                RT_ICON0xa67a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192
                                                                RT_ICON0xa68d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688
                                                                RT_ICON0xa77780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152
                                                                RT_ICON0xa80200x568Device independent bitmap graphic, 16 x 32 x 8, image size 320
                                                                RT_ICON0xa85880x3e48PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                RT_ICON0xac3d00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
                                                                RT_ICON0xb05f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
                                                                RT_ICON0xb2ba00x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720
                                                                RT_ICON0xb46080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                                RT_ICON0xb56b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
                                                                RT_ICON0xb60380x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680
                                                                RT_ICON0xb66f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                                RT_ICON0xb6b580x12c0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                RT_ICON0xb7e180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536
                                                                RT_ICON0xc86400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384
                                                                RT_ICON0xcc8680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
                                                                RT_ICON0xcee100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
                                                                RT_ICON0xcfeb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024
                                                                RT_GROUP_ICON0xd03200x5adata
                                                                RT_GROUP_ICON0xd037c0xbcdata
                                                                RT_VERSION0xd04380x3c8data
                                                                RT_MANIFEST0xd08000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 5, 2023 09:22:11.438339949 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.438410044 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.438503027 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.550308943 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.550349951 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.628907919 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.629101992 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.634354115 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.634371996 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.634776115 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:11.684264898 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.961411953 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:11.961477995 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.144965887 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145093918 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145360947 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145509005 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145661116 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145744085 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145793915 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145845890 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145859957 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.145872116 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.145929098 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.147181034 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.147284031 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.147311926 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.147341013 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.147402048 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.148653030 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.148753881 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.150139093 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.150233030 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.150253057 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.150278091 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.150336981 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.165596962 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.165704966 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.165745020 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166094065 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166120052 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.166141987 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166203976 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.166261911 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.166337013 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.167538881 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.168091059 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.168157101 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.168178082 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169663906 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169740915 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.169761896 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169785976 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.169841051 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.171137094 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.172681093 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.172761917 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.172784090 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.174181938 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.174283028 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.174309015 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.175443888 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.175530910 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.175559998 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.176819086 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.176887035 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.176904917 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178112030 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178200960 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178217888 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.178241968 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.178330898 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.179430962 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.180751085 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.180836916 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.180855036 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.182064056 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.182131052 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.182147980 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.186530113 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.186606884 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:12.186630011 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.186986923 CET44349702142.250.184.36192.168.2.5
                                                                Jan 5, 2023 09:22:12.187066078 CET49702443192.168.2.5142.250.184.36
                                                                Jan 5, 2023 09:22:13.315306902 CET49702443192.168.2.5142.250.184.36

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 5, 2023 09:22:11.376574993 CET6064953192.168.2.58.8.8.8
                                                                Jan 5, 2023 09:22:11.396013021 CET53606498.8.8.8192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 5, 2023 09:22:11.376574993 CET192.168.2.58.8.8.80xcadcStandard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 5, 2023 09:22:11.396013021 CET8.8.8.8192.168.2.50xcadcNo error (0)www.google.com142.250.184.36A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.google.com

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:09:22:10
                                                                Start date:05/01/2023
                                                                Path:C:\Users\user\Desktop\Dhl.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\Dhl.exe
                                                                Imagebase:0xba0000
                                                                File size:842752 bytes
                                                                MD5 hash:6A2BCEFB53B034548874A53D22982949
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.417203630.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.422138372.000000000439E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.419766240.0000000003573000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.417679179.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.422650649.0000000004486000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                General

                                                                Target ID:1
                                                                Start time:09:23:06
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\user\Desktop\Dhl.exe" "C:\Users\user\AppData\Roaming\Adobe.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\user\AppData\Roaming\Adobe.exe
                                                                Imagebase:0x11d0000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:4
                                                                Start time:09:23:07
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7fcd70000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:5
                                                                Start time:09:23:07
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\SysWOW64\PING.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:ping 127.0.0.1 -n 43
                                                                Imagebase:0x3e0000
                                                                File size:18944 bytes
                                                                MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:6
                                                                Start time:09:23:50
                                                                Start date:05/01/2023
                                                                Path:C:\Windows\SysWOW64\PING.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:ping 127.0.0.1 -n 43
                                                                Imagebase:0x3e0000
                                                                File size:18944 bytes
                                                                MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                No disassembly