Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Express_Shipment_DOC.exe

Overview

General Information

Sample Name:DHL_Express_Shipment_DOC.exe
Analysis ID:831160
MD5:370ebdf4ff5036c106793994cc851779
SHA1:cc04ea26c1364b9a058b55c8697a49e1c7e16970
SHA256:1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x17936:$f1: FileZilla\recentservers.xml
          • 0x17976:$f2: FileZilla\sitemanager.xml
          • 0x15be6:$b2: Mozilla\Firefox\Profiles
          • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x15afa:$s4: logins.json
          • 0x169a4:$s6: wand.dat
          • 0x15424:$a1: username_value
          • 0x15414:$a2: password_value
          • 0x15a5f:$a3: encryptedUsername
          • 0x15acc:$a3: encryptedUsername
          • 0x15a72:$a4: encryptedPassword
          • 0x15ae0:$a4: encryptedPassword
          00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
          • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x17936:$f1: FileZilla\recentservers.xml
                • 0x17976:$f2: FileZilla\sitemanager.xml
                • 0x15be6:$b2: Mozilla\Firefox\Profiles
                • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x15afa:$s4: logins.json
                • 0x169a4:$s6: wand.dat
                • 0x15424:$a1: username_value
                • 0x15414:$a2: password_value
                • 0x15a5f:$a3: encryptedUsername
                • 0x15acc:$a3: encryptedUsername
                • 0x15a72:$a4: encryptedPassword
                • 0x15ae0:$a4: encryptedPassword
                3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
                • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                Click to see the 11 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.464.227.48.21249700802024313 03/21/23-07:13:25.127064
                SID:2024313
                Source Port:49700
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249698802021641 03/21/23-07:13:22.578656
                SID:2021641
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249699802024318 03/21/23-07:13:23.800015
                SID:2024318
                Source Port:49699
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249698802024312 03/21/23-07:13:22.578656
                SID:2024312
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249700802024318 03/21/23-07:13:25.127064
                SID:2024318
                Source Port:49700
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249699802021641 03/21/23-07:13:23.800015
                SID:2021641
                Source Port:49699
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249701802021641 03/21/23-07:13:27.165442
                SID:2021641
                Source Port:49701
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249701802024313 03/21/23-07:13:27.165442
                SID:2024313
                Source Port:49701
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249698802024317 03/21/23-07:13:22.578656
                SID:2024317
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249701802024318 03/21/23-07:13:27.165442
                SID:2024318
                Source Port:49701
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249699802024313 03/21/23-07:13:23.800015
                SID:2024313
                Source Port:49699
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249697802024317 03/21/23-07:13:21.229954
                SID:2024317
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249702802024313 03/21/23-07:13:28.916498
                SID:2024313
                Source Port:49702
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249702802021641 03/21/23-07:13:28.916498
                SID:2021641
                Source Port:49702
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249702802024318 03/21/23-07:13:28.916498
                SID:2024318
                Source Port:49702
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249697802021641 03/21/23-07:13:21.229954
                SID:2021641
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249700802021641 03/21/23-07:13:25.127064
                SID:2021641
                Source Port:49700
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249697802024312 03/21/23-07:13:21.229954
                SID:2024312
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: DHL_Express_Shipment_DOC.exeReversingLabs: Detection: 18%
                Source: DHL_Express_Shipment_DOC.exeVirustotal: Detection: 30%Perma Link
                Machine Learning detection for sample
                Source: DHL_Express_Shipment_DOC.exeJoe Sandbox ML: detected
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: xqcD.pdb source: DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49697 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49697 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49697 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49698 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49698 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49698 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49699 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49699 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49699 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49700 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49700 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49700 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49701 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49701 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49701 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49702 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49702 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49702 -> 64.227.48.212:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                Source: Joe Sandbox ViewIP Address: 64.227.48.212 64.227.48.212
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.486364234.000000000049F000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://64.227.48.212/?page_id=215360
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://robertmario.is/?feed=comments-rss2
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://robertmario.is/?feed=rss2
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://robertmario.is/index.php?rest_route=/
                Source: DHL_Express_Shipment_DOC.exe, DHL_Express_Shipment_DOC.exe, 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.w.org/
                Source: unknownHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 190Connection: close
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00404ED4 recv,

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: DHL_Express_Shipment_DOC.exe
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040549C
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_004029D4
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: String function: 00405B6F appears 42 times
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess Stats: CPU usage > 98%
                Source: DHL_Express_Shipment_DOC.exe, 00000000.00000000.305575984.0000000000E62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexqcD.exeR vs DHL_Express_Shipment_DOC.exe
                Source: DHL_Express_Shipment_DOC.exeBinary or memory string: OriginalFilenamexqcD.exeR vs DHL_Express_Shipment_DOC.exe
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: DHL_Express_Shipment_DOC.exeReversingLabs: Detection: 18%
                Source: DHL_Express_Shipment_DOC.exeVirustotal: Detection: 30%
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_DOC.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@0/1
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000003.465267732.00000000033C7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: DHL_Express_Shipment_DOC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: xqcD.pdb source: DHL_Express_Shipment_DOC.exe

                Data Obfuscation

                barindex
                Yara detected aPLib compressed binary
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTR
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00402AC0 push eax; ret
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00402AC0 push eax; ret
                Source: initial sampleStatic PE information: section name: .text entropy: 7.418461164070656
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe TID: 3260Thread sleep time: -40023s >= -30000s
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe TID: 1316Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe TID: 1236Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 40023
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 60000
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeMemory allocated: page read and write | page guard
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00406069 GetUserNameW,

                Stealing of Sensitive Information

                barindex
                Yara detected Lokibot
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: PopPassword
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: SmtpPassword
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management InstrumentationPath Interception1
                Access Token Manipulation                		1
                Masquerading                		2
                OS Credential Dumping                		21
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                Process Injection                		1
                Disable or Modify Tools                		2
                Credentials in Registry                		31
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol1
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Account Discovery                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Access Token Manipulation                		NTDS1
                System Owner/User Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer111
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                Process Injection                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Deobfuscate/Decode Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DHL_Express_Shipment_DOC.exe19%ReversingLabs
                DHL_Express_Shipment_DOC.exe30%VirustotalBrowse
                DHL_Express_Shipment_DOC.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://robertmario.is/?feed=rss20%Avira URL Cloudsafe
                http://robertmario.is/index.php?rest_route=/0%Avira URL Cloudsafe
                http://64.227.48.212/?page_id=2153600%Avira URL Cloudsafe
                http://robertmario.is/?feed=comments-rss20%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://kbfvzoboss.bid/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.win/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.trade/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.top/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://64.227.48.212/?page_id=215360true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://robertmario.is/?feed=rss2DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://robertmario.is/?feed=comments-rss2DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ibsensoftware.com/DHL_Express_Shipment_DOC.exe, DHL_Express_Shipment_DOC.exe, 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://robertmario.is/index.php?rest_route=/DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.w.org/DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  64.227.48.212
                  		unknownUnited States
                  		14061DIGITALOCEAN-ASNUStrue

                  General Information

                  Joe Sandbox Version:37.0.0 Beryl
                  Analysis ID:831160
                  Start date and time:2023-03-21 07:11:09 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 5m 5s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:4
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample file name:DHL_Express_Shipment_DOC.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/3@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 97.9% (good quality ratio 93.9%)
                  • Quality average: 77%
                  • Quality standard deviation: 28.6%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:13:18API Interceptor4x Sleep call for process: DHL_Express_Shipment_DOC.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_DOC.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.355304211458859
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                  C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

                  Download File
                  Process:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:1

                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                  Download File
                  Process:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):46
                  Entropy (8bit):1.0424600748477153
                  Encrypted:false
                  SSDEEP:3:/lbq:4
                  MD5:8CB7B7F28464C3FCBAE8A10C46204572
                  SHA1:767FE80969EC2E67F54CC1B6D383C76E7859E2DE
                  SHA-256:ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
                  SHA-512:9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:........................................user.

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.414207480565285
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:DHL_Express_Shipment_DOC.exe
                  File size:852480
                  MD5:370ebdf4ff5036c106793994cc851779
                  SHA1:cc04ea26c1364b9a058b55c8697a49e1c7e16970
                  SHA256:1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
                  SHA512:63c2c4208a7d9c3c1176167f2c015c1a0bcb8b90cbb55cbb879aa93d0d7e0e128c1662273dfb73776c29466cf87c83f84be3acd48f871a125bc2189efafd3803
                  SSDEEP:12288:0wRZRbIx8nvRW3NVuf7sBF84DpHCojUzQO7auRJ0CXfmv5gn:02+xuv89V4gc4DVhhuRax
                  TLSH:F00507435EBB5085E8B70F38547A76980B34E953BDD9903B3CC9B61A8FFA68360463D1
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..d..............0.................. ... ....@.. .......................`............@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4d16ae
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6419125B [Tue Mar 21 02:11:39 2023 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd16600x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x5d8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0xd161d0x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xcf6b40xcf800False0.7503800357680723data7.418461164070656IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xd20000x5d80x600False0.4309895833333333data4.156248863214128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xd40000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xd20a00x34cdata
                  RT_MANIFEST0xd23ec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.464.227.48.21249700802024313 03/21/23-07:13:25.127064TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970080192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249698802021641 03/21/23-07:13:22.578656TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969880192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249699802024318 03/21/23-07:13:23.800015TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24969980192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249698802024312 03/21/23-07:13:22.578656TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14969880192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249700802024318 03/21/23-07:13:25.127064TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970080192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249699802021641 03/21/23-07:13:23.800015TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969980192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249701802021641 03/21/23-07:13:27.165442TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970180192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249701802024313 03/21/23-07:13:27.165442TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970180192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249698802024317 03/21/23-07:13:22.578656TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24969880192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249701802024318 03/21/23-07:13:27.165442TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970180192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249699802024313 03/21/23-07:13:23.800015TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14969980192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249697802024317 03/21/23-07:13:21.229954TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24969780192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249702802024313 03/21/23-07:13:28.916498TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970280192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249702802021641 03/21/23-07:13:28.916498TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970280192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249702802024318 03/21/23-07:13:28.916498TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970280192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249697802021641 03/21/23-07:13:21.229954TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969780192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249700802021641 03/21/23-07:13:25.127064TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970080192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249697802024312 03/21/23-07:13:21.229954TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14969780192.168.2.464.227.48.212

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 21, 2023 07:13:21.054405928 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.223337889 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:21.223686934 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.229954004 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.398396015 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:21.398611069 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.567040920 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199431896 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199486017 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199523926 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199561119 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199584961 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199598074 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199629068 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199635029 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199664116 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199671984 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199671984 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199696064 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199707031 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199733973 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199743986 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199749947 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199781895 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199784994 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199821949 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368415117 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368516922 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368561983 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368576050 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368594885 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368621111 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368626118 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368668079 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.405898094 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.574153900 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.574321032 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.578655958 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.746587038 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.746746063 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.914777040 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510366917 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510523081 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510556936 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510648012 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510678053 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510725021 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510727882 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.510778904 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510790110 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.510813951 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510844946 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510881901 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510922909 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.510998011 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.629591942 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.680857897 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.680969954 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.680986881 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681025982 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681041956 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.681066990 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681080103 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.681107998 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681124926 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.681175947 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.797202110 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.797342062 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.800014973 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.967341900 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.967590094 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.135057926 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.722923040 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.722959042 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.722980022 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723011971 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723036051 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723062038 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723079920 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723099947 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723121881 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723145962 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723330975 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.723442078 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.723543882 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.890304089 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890337944 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890364885 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890384912 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.890391111 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890398979 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.890431881 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.956021070 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.124252081 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:25.124414921 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.127063990 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.295428038 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:25.296231985 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.464880943 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076277018 CET804970064.227.48.212192.168.2.4

                  HTTP Request Dependency Graph

                  • 64.227.48.212

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:07:12:04
                  Start date:21/03/2023
                  Path:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Imagebase:0xe60000
                  File size:852480 bytes
                  MD5 hash:370EBDF4FF5036C106793994CC851779
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:low

                  General

                  Target ID:3
                  Start time:07:13:18
                  Start date:21/03/2023
                  Path:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Imagebase:0x7ff61e220000
                  File size:852480 bytes
                  MD5 hash:370EBDF4FF5036C106793994CC851779
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Disassembly

                  No disassembly