Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Shippment_Notification_File1_TRK#92992.exe

Overview

General Information

Sample Name:DHL_Shippment_Notification_File1_TRK#92992.exe
Analysis ID:703288
MD5:ae1ece1ab35f950a1822c606a7c31468
SHA1:a03b8e19d1618de3b01f614fec4e7f2009a8d246
SHA256:c6dae959f8e5373c6ac8746cfd8227b8d8099b692ee726aacbe18ecf1479282e
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL_Shippment_Notification_File1_TRK#92992.exe (PID: 2088 cmdline: "C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe" MD5: AE1ECE1AB35F950A1822C606A7C31468)
    • MSBuild.exe (PID: 5504 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "marou.ouerghi@phossphea.com", "Password": "EpP@%mB2", "Host": "smtp.phossphea.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x31064:$a3: MailAccountConfiguration
        • 0x3107d:$a5: SmtpAccountConfiguration
        • 0x31044:$a8: set_BindingAccountConfiguration
        • 0x2ffb1:$a11: get_securityProfile
        • 0x2fe52:$a12: get_useSeparateFolderTree
        • 0x317a7:$a13: get_DnsResolver
        • 0x30261:$a14: get_archivingScope
        • 0x30089:$a15: get_providerName
        • 0x32792:$a17: get_priority
        • 0x31d66:$a18: get_advancedParameters
        • 0x3117e:$a19: get_disabledByRestriction
        • 0x2fc28:$a20: get_LastAccessed
        • 0x302fb:$a21: get_avatarType
        • 0x31e7d:$a22: get_signaturePresets
        • 0x30923:$a23: get_enableLog
        • 0x30106:$a26: set_accountName
        • 0x322c8:$a27: set_InternalServerPort
        • 0x2f599:$a28: set_bindingConfigurationUID
        • 0x31e43:$a29: set_IdnAddress
        • 0x32646:$a30: set_GuidMasterKey
        • 0x30161:$a31: set_username
        00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x2ef1f:$s1: get_kbok
              • 0x2f853:$s2: get_CHoo
              • 0x304ae:$s3: set_passwordIsSet
              • 0x2ed23:$s4: get_enableLog
              • 0x333cb:$s8: torbrowser
              • 0x31da7:$s10: logins
              • 0x3171f:$s11: credential
              • 0x2e116:$g1: get_Clipboard
              • 0x2e124:$g2: get_Keyboard
              • 0x2e131:$g3: get_Password
              • 0x2f701:$g4: get_CtrlKeyDown
              • 0x2f711:$g5: get_ShiftKeyDown
              • 0x2f722:$g6: get_AltKeyDown
              0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2f464:$a3: MailAccountConfiguration
              • 0x2f47d:$a5: SmtpAccountConfiguration
              • 0x2f444:$a8: set_BindingAccountConfiguration
              • 0x2e3b1:$a11: get_securityProfile
              • 0x2e252:$a12: get_useSeparateFolderTree
              • 0x2fba7:$a13: get_DnsResolver
              • 0x2e661:$a14: get_archivingScope
              • 0x2e489:$a15: get_providerName
              • 0x30b92:$a17: get_priority
              • 0x30166:$a18: get_advancedParameters
              • 0x2f57e:$a19: get_disabledByRestriction
              • 0x2e028:$a20: get_LastAccessed
              • 0x2e6fb:$a21: get_avatarType
              • 0x3027d:$a22: get_signaturePresets
              • 0x2ed23:$a23: get_enableLog
              • 0x2e506:$a26: set_accountName
              • 0x306c8:$a27: set_InternalServerPort
              • 0x2d999:$a28: set_bindingConfigurationUID
              • 0x30243:$a29: set_IdnAddress
              • 0x30a46:$a30: set_GuidMasterKey
              • 0x2e561:$a31: set_username
              1.0.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 20 entries

                Sigma Signatures

                Networking

                barindex
                Sigma detected: MSBuild connects to smtp port
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5504, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49756

                Snort Signatures

                Timestamp:192.168.2.3208.91.198.143497565872840032 09/15/22-09:39:04.357043
                SID:2840032
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3208.91.198.143497565872030171 09/15/22-09:39:04.356923
                SID:2030171
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3208.91.198.143497565872851779 09/15/22-09:39:04.357043
                SID:2851779
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3208.91.198.143497565872839723 09/15/22-09:39:04.356923
                SID:2839723
                Source Port:49756
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Machine Learning detection for sample
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeJoe Sandbox ML: detected
                Source: 1.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 1.0.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "marou.ouerghi@phossphea.com", "Password": "EpP@%mB2", "Host": "smtp.phossphea.com"}
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49756 -> 208.91.198.143:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49756 -> 208.91.198.143:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49756 -> 208.91.198.143:587
                Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49756 -> 208.91.198.143:587
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                Source: global trafficTCP traffic: 192.168.2.3:49756 -> 208.91.198.143:587
                Source: global trafficTCP traffic: 192.168.2.3:49756 -> 208.91.198.143:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 23.50.106.206
                Source: unknownTCP traffic detected without corresponding DNS query: 23.50.106.206
                Source: unknownTCP traffic detected without corresponding DNS query: 23.50.106.206
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 23.35.237.194
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 178.79.242.0
                Source: unknownTCP traffic detected without corresponding DNS query: 178.79.242.0
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: unknownTCP traffic detected without corresponding DNS query: 20.199.120.151
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253317969.0000000005384000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hGabWS.com
                Source: MSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.phossphea.com
                Source: MSBuild.exe, 00000001.00000002.522163112.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.522069418.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.521387791.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.mailhostbox.com/email-administrators-guide-error-codes/
                Source: MSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comueF
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261926018.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261828021.0000000005386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcoma
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comionoz
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256071956.0000000005386000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255908003.000000000538E000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255775479.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255842864.000000000538D000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.276075299.0000000000597000.00000004.00000020.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krFc
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s_trh
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tu
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comTF
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr.kr
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr4
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFz
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255692889.0000000005382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comNorm
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net:
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                Source: MSBuild.exe, 00000001.00000002.521863996.000000000329E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ZXnohkADwCrkK9XFdZI.com
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownDNS traffic detected: queries for: smtp.phossphea.com

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 1.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEC398326u002d75D0u002d4C9Eu002dAE6Du002dDF28D1FDAC04u007d/u00367652608u002dD25Cu002d4A4Cu002dA5F8u002dF1C8C9C57E68.csLarge array initialization: .cctor: array initializer size 11937
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeCode function: 0_2_0237E6900_2_0237E690
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeCode function: 0_2_0237C2440_2_0237C244
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeCode function: 0_2_0237E6800_2_0237E680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_013646A01_2_013646A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_013646301_2_01364630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_013646901_2_01364690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0136D2E11_2_0136D2E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015609101_2_01560910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01564AD81_2_01564AD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0156D3781_2_0156D378
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015673D81_2_015673D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015697181_2_01569718
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0156BA781_2_0156BA78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01569EA01_2_01569EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015654501_2_01565450
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015634301_2_01563430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B6181_2_0157B618
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015765E01_2_015765E0
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000000.249352605.0000000000012000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemQstcs.exeL vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.294035854.0000000006C40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameewGZpXyfvZrYFVQpPowkwWoYE.exe4 vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.277993136.000000000257D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameewGZpXyfvZrYFVQpPowkwWoYE.exe4 vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeBinary or memory string: OriginalFilenamemQstcs.exeL vs DHL_Shippment_Notification_File1_TRK#92992.exe
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe "C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe"
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Shippment_Notification_File1_TRK#92992.exe.logJump to behavior
                Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@3/1@2/1
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: 1.0.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.0.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic file information: File size 1113600 > 1048576
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10f400
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, GreenPixelsCalculator/FormPixel.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.DHL_Shippment_Notification_File1_TRK#92992.exe.10000.0.unpack, GreenPixelsCalculator/FormPixel.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: DHL_Shippment_Notification_File1_TRK#92992.exeStatic PE information: 0xF3BCEC5A [Sat Aug 1 05:19:22 2099 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.239736670767991
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMETSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSFSELECT * FROM WIN32_VIDEOCONTROLLER
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe TID: 5420Thread sleep time: -41226s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe TID: 1360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4124Thread sleep count: 31 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4124Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1964Thread sleep count: 9861 > 30Jump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9861Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeThread delayed: delay time: 41226Jump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System"SystemBiosVersion
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUNSYSTEM\ControlSet001\Services\Disk\Enum
                Source: DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.278025439.0000000002582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: MSBuild.exe, 00000001.00000003.498523950.000000000618A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.525090001.000000000618E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0156E1A8 LdrInitializeThunk,1_2_0156E1A8
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.36747a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.DHL_Shippment_Notification_File1_TRK#92992.exe.3576988.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Shippment_Notification_File1_TRK#92992.exe PID: 2088, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5504, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception11
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium12
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Credentials in Registry                		1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Obfuscated Files or Information                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DHL_Shippment_Notification_File1_TRK#92992.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.0.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                smtp.phossphea.com1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cnp0%URL Reputationsafe
                http://www.typography.net0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.carterandcone.como.0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.fontbureau.comcoma0%URL Reputationsafe
                http://www.sajatypeworks.comt0%URL Reputationsafe
                http://www.sajatypeworks.comTF0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/F0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/u0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.zhongyicts.com.cno.0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.goodfont.co.krFc0%Avira URL Cloudsafe
                http://www.typography.net:0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/tu0%Avira URL Cloudsafe
                http://www.carterandcone.comueF0%Avira URL Cloudsafe
                http://www.sandoll.co.kr.kr0%Avira URL Cloudsafe
                http://www.sandoll.co.krN.TTFz0%Avira URL Cloudsafe
                http://www.sandoll.co.kr40%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/s_trh0%Avira URL Cloudsafe
                http://smtp.phossphea.com0%Avira URL Cloudsafe
                http://www.fontbureau.comionoz0%Avira URL Cloudsafe
                https://ZXnohkADwCrkK9XFdZI.com0%Avira URL Cloudsafe
                http://www.tiro.comNorm0%Avira URL Cloudsafe
                http://hGabWS.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.198.143
                		truefalse
                  		high
                  smtp.phossphea.com
                  		unknown
                  		unknowntrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1MSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.fontbureau.com/designersGDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.goodfont.co.krFcDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers/?DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://us2.smtp.mailhostbox.comMSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sandoll.co.kr4DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/s_trhDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255692889.0000000005382000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krN.TTFzDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.goodfont.co.krDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/:DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.276075299.0000000000597000.00000004.00000020.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253317969.0000000005384000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnpDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256071956.0000000005386000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255908003.000000000538E000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255775479.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255842864.000000000538D000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comueFDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.typography.netDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comcomDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261926018.0000000005387000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.261828021.0000000005386000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.net:DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.253381410.0000000005384000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.kr.krDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fonts.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.254721116.0000000005383000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256375119.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.como.DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256216319.000000000538E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.287637852.0000000003531000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000000.273505808.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/tuDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://smtp.phossphea.comMSBuild.exe, 00000001.00000002.521960498.00000000032A4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://DynDns.comDynDNSMSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comcomaDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comtDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comTFDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.252597277.000000000539B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/FDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/uDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/=DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255679482.000000000538B000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/zDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://support.mailhostbox.com/email-administrators-guide-error-codes/MSBuild.exe, 00000001.00000002.522163112.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.522069418.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.521387791.000000000324C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255588553.0000000005385000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/uDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ZXnohkADwCrkK9XFdZI.comMSBuild.exe, 00000001.00000002.521863996.000000000329E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257020072.000000000538A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comionozDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.275655212.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cno.DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.256152857.0000000005385000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000002.292348570.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.tiro.comNormDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.255633975.0000000005387000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/cDHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.257916309.000000000538F000.00000004.00000800.00020000.00000000.sdmp, DHL_Shippment_Notification_File1_TRK#92992.exe, 00000000.00000003.258185482.000000000538F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://hGabWS.comMSBuild.exe, 00000001.00000002.518675466.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          208.91.198.143
                                          		us2.smtp.mailhostbox.comUnited States
                                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                          General Information

                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:703288
                                          Start date and time:2022-09-15 09:36:13 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 11s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:DHL_Shippment_Notification_File1_TRK#92992.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:23
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.spre.troj.spyw.evad.winEXE@3/1@2/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 54
                                          • Number of non-executed functions: 1
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.50.105.163, 20.31.108.18, 80.67.82.235, 80.67.82.211, 209.197.3.8, 20.199.120.182, 20.234.34.18, 104.214.104.116, 20.199.120.85
                                          • Excluded domains from analysis (whitelisted): asf-ris-prod-scus-azsc.southcentralus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, iris-de-prod-azsc-weu-b.westeurope.cloudapp.azure.com, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, e16604.g.akamaiedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, ris-prod-eudb.trafficmanager.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:37:16API Interceptor1x Sleep call for process: DHL_Shippment_Notification_File1_TRK#92992.exe modified
                                          09:37:32API Interceptor692x Sleep call for process: MSBuild.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          208.91.198.143Dynatect Quoting-SP 6048-1.exeGet hashmaliciousBrowse
                                            yp4Lcb8iNuoakvV.exeGet hashmaliciousBrowse
                                              78JbpvX5I2.exeGet hashmaliciousBrowse
                                                26082022Mga detalye ng pagbabayad_PDF.exeGet hashmaliciousBrowse
                                                  RzNYM7YvjV.exeGet hashmaliciousBrowse
                                                    Bank Slip.exeGet hashmaliciousBrowse
                                                      PO.exeGet hashmaliciousBrowse
                                                        TRANSFERENCIA 112987.17.jsGet hashmaliciousBrowse
                                                          PO_FRUITILEGBH200220815.exeGet hashmaliciousBrowse
                                                            #U8a62#U50f9 5000649.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.W32.AIDetectNet.01.4726.exeGet hashmaliciousBrowse
                                                                Order Inquiry List.exeGet hashmaliciousBrowse
                                                                  Payment slip #59221301.exeGet hashmaliciousBrowse
                                                                    Document.exeGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Trojan.Olock.1.1431.exeGet hashmaliciousBrowse
                                                                        DOC_6000019430_AUGUST2022.EXEGet hashmaliciousBrowse
                                                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                            PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                                                              Doc_Requisition Quote_JULY2022.exeGet hashmaliciousBrowse
                                                                                pdf.exeGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  us2.smtp.mailhostbox.comDynatect Quoting-SP 6048-1.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  PO080M2022.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  GtkmlwjtDuBs57n.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  gs3TdJOr4H.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  SecuriteInfo.com.Win32.PWSX-gen.7505.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  or22fuJ5syXer7N.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  SOA Shenzhen H&O International Pdf.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  kZBnWfdiFSc3EzW.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  PmXNEivvO5NiSJh.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  yp4Lcb8iNuoakvV.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  DHLTracking_File02092022N289282100000.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  SecuriteInfo.com.Trojan.PackedNET.1505.29145.25484.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  LGri43t5b5MMet7.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  23082022Paymentdetails_PDF.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Curriculum vitae.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  Ordem de compra.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  RFQ-6066789.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  78JbpvX5I2.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  CV.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  26082022Mga detalye ng pagbabayad_PDF.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  PUBLIC-DOMAIN-REGISTRYUSConfirmation transfer Copy MT103 02426.jsGet hashmaliciousBrowse
                                                                                  • 103.53.40.15
                                                                                  Dynatect Quoting-SP 6048-1.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                  • 162.215.240.200
                                                                                  EMss.N1.cSoZ.jsGet hashmaliciousBrowse
                                                                                  • 103.50.163.157
                                                                                  PO080M2022.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Item List_RFQ 42723.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.20
                                                                                  IMAGESCANDOCUMENTSFILE5656HU.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.221
                                                                                  GtkmlwjtDuBs57n.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Confirmation transfer Copy MT103 00162426.jsGet hashmaliciousBrowse
                                                                                  • 103.53.40.15
                                                                                  k9FVGvrYfH.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.221
                                                                                  k9FVGvrYfH.exeGet hashmaliciousBrowse
                                                                                  • 199.79.62.221
                                                                                  gs3TdJOr4H.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  SecuriteInfo.com.Win32.PWSX-gen.7505.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  Swift Copy.exeGet hashmaliciousBrowse
                                                                                  • 103.195.185.115
                                                                                  Confirmation transfer Copy MT103 Ref-101019906.jsGet hashmaliciousBrowse
                                                                                  • 103.53.40.15
                                                                                  SOA Shenzhen H&O International Pdf.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  kZBnWfdiFSc3EzW.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.225
                                                                                  PmXNEivvO5NiSJh.exeGet hashmaliciousBrowse
                                                                                  • 208.91.199.223
                                                                                  yp4Lcb8iNuoakvV.exeGet hashmaliciousBrowse
                                                                                  • 208.91.198.143
                                                                                  Proforma Invoice.exeGet hashmaliciousBrowse
                                                                                  • 103.195.185.115

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Shippment_Notification_File1_TRK#92992.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\DHL_Shippment_Notification_File1_TRK#92992.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1308
                                                                                  Entropy (8bit):5.345811588615766
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                  Malicious:true
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.2345776578337535
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:DHL_Shippment_Notification_File1_TRK#92992.exe
                                                                                  File size:1113600
                                                                                  MD5:ae1ece1ab35f950a1822c606a7c31468
                                                                                  SHA1:a03b8e19d1618de3b01f614fec4e7f2009a8d246
                                                                                  SHA256:c6dae959f8e5373c6ac8746cfd8227b8d8099b692ee726aacbe18ecf1479282e
                                                                                  SHA512:ce3a0f0a7d53079431a2d71233bf3dbfa37151d3ebccffd1a63f5521b8bf451e1396fc17b9febc7ffeb156462344a4b657ea12cd799de0341706cb9cb8f1ae97
                                                                                  SSDEEP:12288:rdgvgZ2hNxedCcbbRZJsP+Jz7P7O77OKJDszIeQUq3MnemCj1XrNYATi+U/L:Z+Uyelbj2Enz4yKVa2cXC5rSCe
                                                                                  TLSH:4C35F1281666C90AC8AAA574DCD2F2711E685DD1836FC74B08EC3C7BF27738C6D913A5
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.................0.............".... ... ....@.. .......................`............@................................

                                                                                  File Icon

                                                                                  Icon Hash:00828e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x511322
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0xF3BCEC5A [Sat Aug 1 05:19:22 2099 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1112d00x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x5d4.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1140000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1112b40x1c.text
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x10f3280x10f400False0.7842003888248847data7.239736670767991IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x1120000x5d40x600False0.427734375data4.136423920181342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1140000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_VERSION0x1120900x344data
                                                                                  RT_MANIFEST0x1123e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain